• Target: 10.10.10.68
  • Goal: Root access

Port Scanning

nmap -p- -A 10.10.10.68
port scanning
  • Port 80/tcp: Apache httpd 2.4.18

Enumeration

Directory scan using gobuster

gobuster -u http://10.10.10.68/ -w common.txt -s "200,204,301,302,307,401,403" -x "txt,html,php,jsp"
directory scanning

First browse around the website and follow the links. Does not find anything of interests.

website

Then I check the folders found by gobuster and notice couple interesting files (phpbash.php & phpbash.min.php) in the /dev folder.

/dev folder

Click on phpbash.php bring up web version of a bash shell.

web shell

Nice. This allows you to execute commands as user www-data. And with this capability, I quickly found that the /uploads directory is world writable.

Exploitation

I am going to upload a php reverse shell to /uploads folder and then I can run it through the browser. So I make a copy of the reverse shell, update the ip address and port # and then setup a webserver to serve the file

setup reverse shell for download

Now setup a Netcat listener

nc -lp 4000

Upload the shell file to target system’s /uploads folder

upload shell file

Browse to the reverse shell page at http://10.10.10.68/uploads/p.php

limited shell

Obtain a limited shell as user www-data. Pretty straight forward.

Privilege Escalation

sudo -l reveals that I can perform sudo command as user scriptmanager

With this sudo ability, I can receive a bash shell as user scriptmanager. But using that to search around the system does not find any additional useful information. After searching around the system without success for quite a while, I turn to see if there’s any kernel exploits.

Check the OS version shows that it’s Linux 4.4.0-62 generic, 64-bit

linux version
searchsploit kernel 4.4

This brings up a few possible exploits. I tried a few of them, either doesn’t work or receive a root shell but would crash the system soon after. Until I try the exploit 44298.c

exploit 44298

Since the target system is 64-bit, I use -m64 flag to compile the file. Then I upload it to the system and try it:

root shell

This one worked great. Received root shell.

Capture the Flag

Check out user arrexel‘s home page for user flag and root‘s home page for root flag.

user flag
root flag

That’s it.

Afterword

I usually read others’ walkthrough/writeup after I finish a box to learn things that I missed. I found that others obtain root access through the /scripts folder as user scriptmanager.

I actually did become scriptmanager using sudo command and looked at the /scripts folder for a while. However, when I looked at the test.txt file and the timestamp showed it’s updated like 3 hours ago. So I thought there must be another member working on the system and poking around the script. And didn’t realize it’s a cron job running it and the time difference was actually due to time zone. lol

That /scripts folder definitely was suspicious. I should be more careful and pay more attention to out of place stuffs. ;p

Thank you author Arrexel for the box Bashed.

Leave a Reply

Close Menu