https://www.hackthebox.com/machines/Bashed

OS: Ubuntu

10.129.186.17

Credentials:

UsernamePassword

nmap results:

80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
|_http-title: Arrexel's Development Site   
| http-methods:                      
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Device type: general purpose         
Running: Linux 3.X|4.X 
OS CPE: cpe:/o:linux:linux_kernel:3 cpe

Attack + Enum Vectors: (Ports, etc.)

  • TCP 80: HTTP

Web Service Enum:

Gobuster / wfuzz

after enuming with gobuster: we found a /dev directory with web shell

http://10.129.186.17/dev/phpbash.min.php

and

http://10.129.186.17/dev/phpbash.php

Initial Foothold

http://10.129.186.17/dev/phpbash.php

then uploaded a php reverse shell on /uploads directory then we visited that on browser and caught a shell now we try to privilege escalate


Priv Esc

First we transfer pspy64 to target: we found a cron job running the python script under scripts file

we first lateral move to scriptmanager using

sudo -u scriptmanager bash -i

then we make a reverse shell python script and place it in scripts directory. which will be executed by root every minute; then set up listener

sudo nc -lvnp 80

we got root

Therefore, pwn’d