Bashed — HTB Walkthrough
WebShells — — dangerous if allowed to be deployed.
ENUMERATION
Nmap scan
Googling name of site , we see Arrexel php bash is a webshell, which requires phpbash.php or phpminbash.php to be uploaded on server and will give you a shell , if you open it using Javascript browser.
Also our site reveals the same
So accordingly I first went to http://10.10.10.68/uploads/phpbash.php , but it was not there.
So I decided to do a quick dirbuster scan
Traversing directories it shows /dev has shells
Visiting phpbash.php I got the shell
PRIVILEGE ESCALATION
Doing sudo -l we see we have scriptmanager permission
There were priv esc methods which can take place
1) run: sudo -u scriptmanager bash
To see if you get spawned shell — — — NOP !!! We don’t … SO
2) we need to find any file which has been owned by scriptmanager to run it
We see on root folder of system that there is a separate scripts Folder
Since as www-data we cannot enter scripts. We will use scriptmanager sudo access to list its contents
Now on seeing what test.py does ….. Is that it opens test.txt and writes testing123!! On it
But since we cannot modify test.txt — — because it is owned by root. But if test.txt is owned by root, it should be executed sometime by root.
So let’s modify test.py to give reverse shell such that when it will be called by root to modify test.txt , it will give us a reverse shell too
First give scripts all permissions so you can enter it easily and list contents
Now execute following commands one by one
Then cat test.py to see if you get right code
Now keep a netcat listener on — — on 1234 on your machine, whenever root will execute script test.py , you will get a shell.. I got in 20 sec
POST EXPLOITATION
We see there is a hidden cron job for root, to execute test.py
ROOTED !!!
