{"id":5376,"date":"2018-12-11T04:21:17","date_gmt":"2018-12-11T04:21:17","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=5376"},"modified":"2018-12-11T04:32:56","modified_gmt":"2018-12-11T04:32:56","slug":"pop-the-box-ls-blog","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/12\/11\/pop-the-box-ls-blog\/","title":{"rendered":"Pop the Box \u2013 ls \/blog"},"content":{"rendered":"

Let[s] talk<\/a> a little about this box. In this HTB machine we will see only one port is open and that will be the http one , we will fireup the dirbuster to find the different files and directories inside that website. We will came to know about the phpbash file from where we will be getting code execution. After getting the ever shell we will enumerate<\/a> more and will be able to find the way to escalate the privileges and became root. This time I have made two video[s] the first one will be on getting our first reverse shell<\/a> on the box and the second one will be on how we will be able to escalate the privileges. Hope you guys will enjoy it. In last but not the least I have uploaded some file[s] from which you will be able to learn about bash<\/a> scripting<\/a>, python<\/a> and you will learn about the cronjob working.<\/p>\n

TenTen BOX WALKTHROUGH<\/p>\n

About this machine<\/h3>\n
    \n
  1. Machine Name: Bashed<\/li>\n
  2. Machine Architecture : Linux<\/a><\/li>\n
  3. Machine creator: Arrexel<\/li>\n
  4. IP address<\/a>: 10.10.10.68<\/li>\n
  5. User<\/a> owned: 6334<\/li>\n
  6. User rooted: 4218<\/li>\n
  7. Points: 20<\/li>\n<\/ol>\n

    \"\"<\/p>\n

    Pre-requestie[s]<\/h3>\n
      \n
    1. As always you must have the hackers<\/a> mindset to approach different vulnerabilities<\/a>,<\/li>\n
    2. This time you need some little bit knowledge<\/a> about bash and python.<\/li>\n
    3. You must know how to<\/a> use dirbuster or any other tool<\/a> for finding different folders and file.<\/li>\n
    4. You must know how to use NMAP<\/a> for scanning<\/a> port\u2019s.<\/li>\n
    5. If you know bash then it will be plus point.<\/li>\n
    6. Different approaches<\/li>\n
    7. Try Harder mind set<\/li>\n<\/ol>\n

      [Disclaimer : That\u2019s all you need, Now let\u2019s try to Pentest<\/a> this machine.]<\/p>\n

      Enumeration Part<\/p>\n

      -Nmap Scan<\/h4>\n

      So, first we need to scan<\/a> for the open ports. Let\u2019s do it.<\/p>\n

      We will use nmap\u2019s 3 option\u2019s \u201ci.e -sS , -sV and -sC\u201d. You must be wondering what are these. Actually these are nothing they are just a scanning options. I really want you all to read the man page of nmap from there you can understand what are these options used for. Let me just point them out simply.<\/p>\n

        \n
      1. -sS: For scanning TCP<\/a> SYN. You need to the root privilege<\/a> also to use option, I believe.<\/li>\n
      2. -sV: For scan for open ports<\/a> to determine there services<\/a> and version informations.<\/li>\n
      3. -sC: It is used for using the default nse nmap script. To know what are NSE<\/a> script<\/a> read this article. [Chapter 9. Nmap Scripting Engine<\/a>] Just read about it and you will understand.<\/li>\n
      4. -Pn: This option will treat all hosts as online, no matter what. This is a good practice to use it to bypass filtration something.<\/li>\n<\/ol>\n

        \"\"<\/p>\n

        Hyperledger Fabric Fundamentals (LFD271)$299<\/a><\/p>\n

        The scan is completed as you can see in the above screenshot. So as you all can see only the port 80 is open.<\/p>\n

        -Understanding Nmap output<\/h4>\n

        So we have only two open port[s] now let\u2019s try to understand the output.<\/p>\n

        #1<\/p>\n

        Port: 80<\/p>\n

        State:Open<\/p>\n

        Service: http<\/p>\n

        Version: Apache<\/a> httpd 2.4.18<\/p>\n

        Let[s] check what it is really looking like.<\/p>\n

        \"\"<\/p>\n

        It seems like it[s] working perfectly. Anyways let[s] start enumerating the box.<\/p>\n

        $299 WILL ENROLL YOU IN OUR SELF PACED COURSE \u2013 LFS205 \u2013 ADMINISTERING LINUX ON AZURE!<\/a><\/p>\n

        Low Level Exploitation<\/h4>\n

        The very first thing that I always used do is to check the source page and the robots.txt file.<\/p>\n

        So here it is ,<\/p>\n

        \"\"\"\"<\/p>\n

        I don\u2019t know if you are able to see it or not but there is nothing interesting here.<\/p>\n

        So, let[s] start our favorite dirbuster for finding the directory. If you don\u2019t know what it is then let me tell you.<\/p>\n

        Dirbuster:- It is a java tool<\/a> that is designed to brute force<\/a> the directory and the webpages in the website[s]. It is OWASP<\/a> Project<\/a>you can read more about it \u201cHere<\/a>\u201d. Let[s] start it:-<\/p>\n

        \"\"<\/p>\n

        In target URL option you need to define the address of the website here in our case it is 10.10.10.48, in Number of threads I have increased it to 54 to speed up the process<\/a> and under wordlist option you need to specify the directory list. I used the one that the dirbuster come[s] with medium one. Give the file extension according to your need, the php is just fine for me here. Let\u2019s start our DirBuster.<\/p>\n

        \"\"<\/p>\n

        So as you can see we got too many folder[s] and some php files. So, I have just export the result in text file. Here it is:<\/p>\n

        DirBuster 1.0-RC1 \u2013 Report<\/p>\n

        http:\/\/www.owasp.org\/index.php\/Category:OWASP_DirBuster_Project<\/a>Report produced on Mon Apr 30 02:48:56 EDT 2018<\/p>\n

        \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013<\/p>\n

        http:\/\/10.10.10.68:80<\/a>\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013<\/p>\n

        Directories found during testing<\/a>:
        \nDirs found with a 200 response:<\/p>\n

        \/images\/
        \n\/uploads\/
        \n\/js\/
        \n\/php\/
        \n\/demo-images\/
        \n\/css\/
        \n\/dev\/
        \nDirs found with a 403 response:
        \n\/icons\/
        \n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013
        \nFiles found during testing:
        \nFiles found with a 200 responce:
        \n\/index.html
        \n\/single.html
        \n\/js\/jquery.js
        \n\/js\/imagesloaded.pkgd.js
        \n\/js\/jquery.nicescroll.min.js
        \n\/js\/jquery.smartmenus.min.js
        \n\/js\/custom_google_map_style.js
        \n\/js\/html5.js
        \n\/php\/sendMail.php
        \n\/js\/jquery.mousewheel.min.js
        \n\/js\/jquery.carouFredSel-6.0.0-packed.js
        \n\/js\/jquery.easing.1.3.js
        \n\/js\/jquery.touchSwipe.min.js
        \n\/js\/main.js
        \n\/css\/carouFredSel.css
        \n\/css\/clear.css
        \n\/css\/common.css
        \n\/css\/font-awesome.min.css
        \n\/css\/sm-clean.css
        \n\/dev\/phpbash.min.php
        \n\/dev\/phpbash.php
        \n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013<\/p>\n

        REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!<\/a><\/p>\n

        Let[s] check that php directory.<\/p>\n

        \"\"<\/p>\n

        Their is one \u201csendMail.php\u201d php file. Let[s] check \/dev directory now.<\/p>\n

        \"\"<\/p>\n

        Okay so here are also some directory. Let[s] try to open phpbash.php<\/p>\n

        \"\"<\/p>\n

        Okay so it is looking like a terminal using bash. So, now we can execute the commands.<\/p>\n

        \"\"<\/p>\n

        Amazing let[s] try to get the reverse shell on this box.<\/p>\n

        Now we finally got our first low fruit reverse shell on this machine.<\/p>\n

        \"\"<\/p>\n

        SO, finally we got our low fruit privilege on this box.<\/p>\n

        $299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 \u2013 INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!<\/a><\/p>\n

        Privilege Escalation<\/h4>\n

        So now we need to escalate the privileges to become \u201croot\u201d. In this box I will be going to show you three different methods of privilege escalation<\/a> on this machine.<\/p>\n

        First let\u2019s start our enumeration manually first then we will upload some scripts<\/a> to check other stuffs. Let\u2019s start with checking Distribution<\/a> type by command \u201c cat \/etc\/issue<\/em> \u201c<\/p>\n

        www-data@bashed:\/home\/arrexel$ cat \/etc\/issue Ubuntu<\/a> 16.04.2 LTS n l<\/p>\n

        Okay so this is Ubuntu box running version Ubuntu 9.10, Great. Now let\u2019s check what files have root<\/a> privileges which we can probably read, write and execute by the command.<\/p>\n

        www-data@bashed:\/home\/arrexel$ find \/ -perm -222 -type d 2>\/dev\/null
        \n\/var\/www\/html\/uploads
        \n\/var\/tmp
        \n\/var\/lib\/php\/sessions
        \n\/run\/lock
        \n\/tmp
        \n\/tmp\/.Test-unix
        \n\/tmp\/.font-unix
        \n\/tmp\/.XIM-unix
        \n\/tmp\/VMwareDnD
        \n\/tmp\/.ICE-unix
        \n\/tmp\/.X11-unix
        \n\/dev\/mqueue
        \n\/dev\/shm
        \nwww-data@bashed:\/home\/arrexel$ find \/ -perm -4000 2>\/dev\/null
        \n\/bin\/mount
        \n\/bin\/fusermount
        \n\/bin\/su
        \n\/bin\/umount
        \n\/bin\/ping6
        \n\/bin\/ntfs-3g
        \n\/bin\/ping
        \n\/usr\/bin\/chsh
        \n\/usr\/bin\/newgrp
        \n\/usr\/bin\/sudo
        \n\/usr\/bin\/chfn
        \n\/usr\/bin\/passwd
        \n\/usr\/bin\/gpasswd
        \n\/usr\/bin\/vmware-user-suid-wrapper
        \n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper
        \n\/usr\/lib\/eject\/dmcrypt-get-device
        \n\/usr\/lib\/openssh\/ssh-keysign<\/p>\n

        Nothing seems interesting here. So now let[s] try \u201csudo -l\u201d to list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy<\/a> supports a verbose output format.<\/p>\n

        \"\"<\/p>\n

        So, we can sudo<\/a> to scriptmanager user without any password. Let[s] do it.<\/p>\n

        \"\"<\/p>\n

        Amazing now we are no longer www-data , Let[s] start our enumeration from the root directory now \u201c \/ \u201c<\/p>\n

        \"\"<\/p>\n

        If you are having Linux as your primary operating system<\/a> then you will notice \u201c\/scripts\u201d directory is something suspicious. Which do not come with Linux by default. SO, lets check what are the files and directories inside that folder.<\/p>\n

        \"\"<\/p>\n

        We are having two files : test.py and test.txt . Let[s] check what is written in test.py<\/p>\n

        \"\"<\/p>\n

        Okay so it is a simple python script<\/a> which is opening the file test.txt in writing<\/a> mode and writing \u201ctesting 123!\u201d inside that test.txt file. After writing it is closing that file. If you will see the above screenshot<\/a> again you will see test.txt was created 00:42 minute ago. Means maybe cron job<\/a> is running every minute.<\/p>\n

        \"\"<\/p>\n

        Here is the proof that it is running every minute. Now we know that whatever is inside test.py it will be executed as root. So, now we can re-write the test.py and enter our python reverse shell.<\/p>\n

        Amazing we finally escalated the privileges<\/p>\n

        \"\"<\/p>\n

        .Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

        Let[s] talk a little about this box. In this HTB machine we will see only one port is open and that will be the http one , we will fireup the dirbuster to find the different files and directories inside that website. We will came to know about the phpbash file from where we will … <\/p>\n

        Continue reading “Pop the Box \u2013 ls \/blog”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5376","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/5376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=5376"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/5376\/revisions"}],"predecessor-version":[{"id":5378,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/5376\/revisions\/5378"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=5376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=5376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=5376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}