Bashed
Nmap
Over on port 80 the root page directs us to Arrexel's development site which appears to be a blog. The first post mentions a webshell called phpbash.
Following the page we see some further information regarding phpbash with a GitHub link.
Running dirsearch.py against the web server with the big.txt wordlists from Seclist. we find the /dev/ directory.
Browsing to the directory we see an index page containing the phpbash.php shell mentioned earlier.
Clicking on the phpbash.php takes us to the webshell.
Next, ideally we will get a proper reverse shell. I checked if python was installed with which python command and this was confirmed as being installed.
I then set a netcat listener on my attacking machine and then executed the command below into the webshell.
From here checking sudo -l for sudo permissions shows that we can run all commands as the user 'scriptmanager' without providing a password.
As such running the command below will spawn us a bash shell as the user scriptmanager.
From here I noticed the non default 'scripts' folder in '/'.
Which contains two files; test.py and test.txt
When viewing the contents it looks like when test.py is executed it created a test.txt file and writes the contents 'testing 123!' to the file
Providing this is executed with elevated privileges we insert a python reverse shell into test.py as we are the owner of the file. I uploaded pspy64 to the target system to check if these are being executed by a cronjob.
After uploading the binary and setting the correct executable permissions I executed pspy64 and was presented with the following:
We see that a process is being executed on a regular interval that is executed any file ending in .py. Because we are the owner of test.py I will simply echo out the contents and replace with a python reverse shell.
I then set a listener to port 53 on my attacking machine and soon after caught a root shell.
Last updated
