BASHED — OSCP LIKE HTB Machine

Image for post
Image for post

Let’s start with our first step:

Open Ports enumerations using basic nmap scan.

Image for post
Image for post

From the nmap scan we can see there is one port open i.e., 80

Let’s do a directory brute force using dirb:

Image for post
Image for post

from dirb result we come across /dev, /uploads directory, let’s see what’s there using a web browser.

Image for post
Image for post

We try to access the php pages and see what’s there.

Image for post
Image for post

phpbash.php is a webshell which gives us “arrexel”user level shell and by traversing into diectories we can get the user flag.

Now we are going to upload a php shell into this machine using wget command and we will host that shell from our local machine using python SimpleHTTPServer.

The command to host a directory using python is as follows:

python -m SimpleHTTPServer <PORT>, by default it is 8000

Now from the earlier webshell we will wget a new shell from our machine to the victim’s machine.

Image for post
Image for post

we will modify the port for reverse shell and we will use netcat to listen to that specific port (1234 in my case) as per the edited shell above.

Image for post
Image for post

Now we will once try to access the uploaded shell from the browser.

Image for post

Bingo we got the shell, but the shell is a low level www-data shell, we need to go for privilege escalation for root flag.

Image for post
Image for post

At first we need to convert this shell into fully interactive shell as shown below:

Image for post
Image for post

Cool, Now let’s check for Privilege escalation.

Image for post
Image for post

So it can be seen from the above screenshot that the user “scriptmanager” can run the commands as shown above.

Traversing through the directories we found out that there’s one folder “scripts” owned by the user scriptmanager.

Image for post
Image for post

Let’s have a look at what’s inside it.

Image for post
Image for post

So there are 2 files ; test.py and test.txt.

Upon reading the content of test.py, wwe can understand it is writing a text file test.py and writing “testing 123!” inside it.

Image for post
Image for post

Let’s try to run the python code test.py from here and see what do we get:

Image for post
Image for post

We don’t have permission to access test.txt.

Let’s see who owns test.txt.

Image for post
Image for post

Now, what we’re going to do is we’re going to create one python server from our local machine and host a python reverse shell, which we will wget into the compromised machine and then try to run the script.

Creating python server on your attacker machine to host a directory which contains the python reverse shell.

command: python -m SimpleHTTPServer <PORT>, by default it is 8000

we have used port 9999.

Image for post
Image for post

Since the directory scripts on the victim machine already had test.py, so our file will be renamed as test.py.1 automatically.

Anyway we will move the test.py1 to test.py file.

Image for post
Image for post

Let’s run this test.py script but before that we will setup a netcat listener for us to receive the reverse shell.

Image for post
Image for post

Listener is all set to receive any connection coming to port 3344.

Now running the test.py python reverse shell uploaded using wget above into the machine and see what happens next, will it send the reverse TCP connection on not.

Image for post
Image for post

After running the above script we receive a reverse TCP connection on our machine as can be seen below.

Image for post
Image for post

Bingo we’re root user now, we can traverse through directories to capture the root flag.

Image for post
Image for post

Done.

Thanks for Reading, Kindly give a clap if it was any helpful, and suggestion are welcomed.

Security researcher, Blogger, Bug Bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store