This is my 8th HTB box on my way to OSCP. Bashed is relatively easy machine. The enumeration was the key to resolve this machine. If you got the enumeration right, it would require less effort to solve this machine.
Nmap scan returned back with the following result.
Port 80 was the only port open, which means that port 80 should be vital in getting the initial foothold.
Accessed the Web Page.
Used Gobuster to perform a directory enumeration on the port 80 and the result came back as below.
As the scan was going on and providing results, i accessed them one by one to see what was inside the directories. I found this interesting directory named Dev where it had two PHP files. Clicking them gives us the access to a webshell !
Getting initial Foothold
What we have got was a low-privilege shell. We can stay in the same webshell and find a way to escalate privileges or get a reverse shell which is more stable and continue the attack.
I decided to get a reverse shell and carry out the attack.
Python is available, which means we can use the PentestMonkey Python reverse shell code to obtain a reverse shell.
Obtained a reverse shell and the first thing i did was to run Sudo -l
Running Sudo -l confirmed that www-data could switch into another user account named Scriptmanager.
Switched into Scriptmanager.
Scriptmanager had the full access to a python script which i believed it to the point to obtain a reverse shell.
Edited the python script as below.
It was again the python reverse shell from Pentestmonkey.
Opened a Netcat listener, executed the script and guess what? i got a reverse shell with root access.
Developer should never make a Webshell and directories publicly available. Dev directory that contained the PHP script was publicly available, that ultimately allowed us to get the initial foothold hence the developer should take this into consideration and never ignored the fact that directories would never reveal to the public since they are not directly linked to the main Webpage. The robust tools like Gobuster and Dirbuster are capable enough of finding hidden directories despite the fact the directories are not directly linked to main web page.
WWW-DATA(daemon user) shouldn’t be given the access to become a more privileged user (Script Manager). Non-root privilege users shouldn’t be given the permission to execute script as root, that could potentially lead to privilege escalation. These are known as security misconfigurations that should be given attention. The principle of least privileges and concept of separation of privileges should be strictly followed.
8 machines are down!