bashed was easy…yeah right
Let’s face it, there are two types of hackers. bashed is for all us noobs out there, rated easy. I know many still had problems with it. This box fooled me a couple of times but I eventually got user and lucked into a privileged user. Root still eludes me but it’s still available if I have time (I am tempted to watch Ippsecs video but I won’t until I do it.)
Let’s get started
We start with the IP address of 10.10.10.68 and that’s it. My first step when I have the IP is to run nmap. When scanning with nmap, I typically always use the -A.
nmap 10.10.10.68 -A
That runs all, the scripts and scanning every port, checks the operating system. If there are defenders, it can look suspicious to them I’ve read. If you just want to know the open ports, you use the -sT for a TCP connect scan, which is usually good enough for these challenges to find the open ports, and -O which tries to figure out the operating system so you know which version of exploits to look up. It looks like this:
nmap 10.10.10.68 -sT -O
We found a port, lets go!
Port 80 happens to be open on this box, which means that we should be able to use our browser and open it up. I had burpsuite running in the background, so I turned off interception and typed in the address. It brings up a web page that looks like a blog post from Arrexel. Since it is a webpage, we can begin enumerating web page.
There are a few ways to do it, but I’ve seen the greats like Derek Rook and Ippsec use gobuster. The -u means URL, and -w stands for wordlist. There are various wordlists built into a Kali Linux default install and you never know which one you are ‘supposed to use for these challenges. What I like to do is use the ones in the /usr/share/dirbuster/wordlists/ because the small and the medium typically do the trick for enumerating website folders.
Gobuster -u http://10.10.10.68 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Ok, what now?
Since that can run a few minutes, I went to check out what was on the blog by Arrexel. It’s a story about PHP bash which is a tool he developed to create a bash shell inside of a webpage using php. This makes it convenient when doing web penetration tests because sometimes a shell is all you need to enumerate. The blog posts mention how he used this web page to develop the tool, and links his GitHub. I went there and downloaded the tool, ready to try and use it. My gobuster was still running at this point, so I moved onward. I check for the robots.txt file on every web page I see in a challenge, they sometimes contain valuable information like administrator username/password combinations, the directories that are important to the developer or sometimes even a flag hash for the box.
This isn’t working well
This is the part where I messed up and spent weeks trying to get through bashed. I thought the blog post was telling us that we were supposed to try to upload it to the website, and completely missed out on an important clue. Initially, I tried simply using the uploads page and putting the phpbash.php file there, and it wouldn’t load it. I then tried to rename it to phpbash.php.something or phpbash.something.php, because some sites have filters setup sometimes block extensions they don’t want instead of just allowing the extensions they do want. This went on for a few times for each file, each time not getting an error message but it did not appear in the /uploads page on the website.
I went to the forums
HTB has great forums where people will give hints (other than trying harder, enumerate harder, etc) but Arrexel actually posted the best hint ever. In the blog post, he alluded to him using this web page to develop the tool, and in the forum post, he said he came up with the idea for the box when he accidentally left a copy of his program on the server he developed it on.
For some reason, I went back to gobuster and ran it again and saw the /dev was on the site. Putting two and two together, he used this site to develop it and there was a /dev, I went to the website and typed into my browser
and found the copy of phpbash already on the server.
I clicked on the file, and popped my first shell!
Got shell, now what?
Having shell access, I actually did not know what to do next. This was my first box on hack the box, and I was’t sure what the structure was. The blog post shows the phpbash shell window open and a readout for cat /etc/passwd . I typed that in and found all the users on the website, there was a root, an arrexel, a scriptmanager, and other standard service accounts.
I figured that the user had to be arrexel so i typed cd /home/arrexel, then typed ls to find the user.txt file. If you are not familiar with linux, cat allows you to read a file without editing it, and cd means change directory to the folder listed. A simple cat user.txt and I had owned the user on the box.