Got user on bashed, now what?
Rooting bashed requires attention to detail. When I first started with this box I didn’t have a single idea of what to do. I realized that the basic shell provided by phpbash did not allow advanced features and a reverse shell was needed. The first step to getting a reverse shell is to know your IP address on the hack the box network.
I have never done a reverse shell before, so I did a simple google search for reverse shells. Pentestmonkey’s site was the third on the google page, and was entitled Reverse Shell Cheat Sheet. It has a list of reverse shell’s using netcat, python, ruby, bash, perl, java, and php. I tried the netcat on bashed but it did not work, so i tried the python one and it did work.
First you enter this into your attack machine to listen:
Than you enter this into the shell on your target machine:
Here is the result
Enumeration, enumeration, enumeration
I found g0tmi1ks privesc and ran through the steps. Normally for challenges it is very important to gather information about the box like the operating system when I got down to ps aux I got interesting results. I saw other people trying to root the box and running various commands as the www-data and the scriptmanager users. The ps aux command is used to output the full command line input for each process that is running or has run on the machine. This is what I used at first to get further in this box.
Analysis of initial information
Www-data user is the login you get the phpbash shell on initially. Scriptmanager is the privileged user account for running all the scripts in the /scripts folder. I check to see if a root.txt file existed and it did but permission was denied to do anything with it. In a simpler challenge, one might just have to get the reverse she’ll and cat the root.txt file but not here.
Goal in site: escalate privileges
My mind was made up, I should next gain access as scriptmanager. I completely missed the fact that if I typed sudo -l as www-data, it had access to run commands as scriptmanager. To use this you just type
sudo -u scriptmanager
I didn’t know this when I initially tried the box but I found a command using ps aux that someone else ran.
sh -c cd /var/www/html/uploads; sudo -u scriptmanager find / -exec bash -i \; 2>&1
This basically says run this as scriptmanager and put the output to devnull. I don’t think the first part is necessary for it to work but I haven’t had the time to try it since I started writing (there’s been about a week between when I tok the pictures and when I wrote this). Since www-data can sudo as scriptmanager, this just opens a shell as scriptmanager to avoid having to type sudo everytime.
Now that we got that out of the way
The importance of the scriptmanager is the /scripts folder because it as the only other user on the machine, and it was the only user with access (other than root) to this folder. Since bashed is a capture-the-flag box, I figured to look there first assuming it was a clue. To find out what is there, we do the following:
ls -als /scripts
This command lists the files there, who owns them and what permissions are set for. There are two files there, test.py and test.txt. scriptmanager runs the test.py file bit test.txt is owned by root. However, the commands within test.py call test.txt and run it and how it is able to do that I wasn’t sure about.
I think it’s OK to ask for help
I asked around the small circle of people I know for help. When starting out I think it is very important to be able to find people who are able to help you out and be able to ask for help when you need it. I was clear, I didn’t want the answer, just a nudge in the right direction. @The4rchangel offered me this advice: check the timing. At first I had no idea what he meant by timing, but then I thought about cron.
Automating tasks in Linux
This is very important, real-world stuff. Cron makes administration of Linux systems so much easier because it automates tasks like checking for updates and installing them, running scans for file corruption, or Antivirus scans. This particular box has a cron job to look in the /scripts folder and run any file with .py extension in it. In the real world a lazy administrator might write many python scripts to perform maintenance tasks and put them in a folder and then.run one cron job to run the maintenance tasks instead of running a cron job for each task. Cron runs as root, so the scripts rum with root permissions. This is the point of attack.
Many ways to do it
We know a python script will be run by cron in this folder every minute. We know the file /root/root.txt has the flag we need. Now we need to program a script to somehow copy that file to one that we can access with scriptmanager. The test.py file kind of shows you how call another file that you can script in any language you are comfortable with to copy the data, or if you know python you can just do it in python. I wanted to try it in python first since it was new to me.
f = open (“/tmp/try”, “w”) – this opens a new file i wanted to create in the tmp directory because I had access to the temp directory. You can literally put it /anywhere and call it anything you want. the w is important though because that tells the script to write everything that comes after to the file.
flag = open(“/root/root.txt”, “r”) – this is where we use the root permissions of cron to open and read the root.txt, and couple with the above command it then writes the flag into the file you created
flag_text = flag.read() – this executes the above command to read
f.write(flag_text) – this executes the above command to write
f.close() – this closes the script portion
flag.close() – this closes this script portion
Before bashed, I have never truly looked at python but have done some bash and powershell scripting, and have done a little html and c++ so i’m familiar with design and flow of scripts. I used google to find out how to copy text from one file to another from this website and experimentation.
Bashed was my first box on htb and I learned so much from doing it. Proper information gathering can save you hours of wasted time chasing down the wrong vulnerability. There can be multiple ways to get the answer, so if what I’m currently trying isn’t working, try something else. All the little things matter, like checking sudo or file permissions, automated server tasks like cron jobs and reading the data in the files at hand to see if they can be exploited. This box was setup to be easy and from the beginning because arexxel tells you what to do: left the phpbash on there, the user had scriptmanager sudo permissions, scriptmanager had only permissions lower than root to run scripts and has scripts in the folder with big hints as to what to do. Bashed was fun and I can’t wait to do more.