Bashed privesc

imag1ne · January 13, 2018, 8:56pm

Several threads on this one, but this newb is just wondering: Can everything be done from the web shell or is a reverse shell required? can’t su or chsh, but all the nc tricks are failing.

Agent22 · January 13, 2018, 9:24pm

u required reverse shell for some commands …
just try …

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
(great resource of reverse shell tricks )

try every shell trick like — > Bash reverse, PYTHON reverse shell etc…

imag1ne · January 13, 2018, 10:01pm

Being new, I am trying to distinguish config issues from ops issues. I have IP of 10.0.2.x. With that I have tried multiple ports in 8080/8889 range with listener setup and dial back to 10.0.2.x. I have been using the existing php tool on server, no personal upload. Is this the right start to setting up a reverse?
Edit: I have just been using an ‘nc’ listener as well; can anyone confirm this is legit?

wr3nch0x1 · January 14, 2018, 12:30pm

you can PM me

nosas · January 14, 2018, 1:36pm

Take a peak at Ippsec’s video on YouTube regarding the Popcorn walkthrough. You should be able to get a gist of how to work a reverse shell.

imag1ne · January 14, 2018, 11:38pm

So I after not giving up (yesterday ended with around 24 hrs up), got the flag, but priv esc was minimal and never got a full meterpreter reverse (just echo’d bash). I know some people have asked about potential openings. I abused the hole to get the flag, but was there a different methodology that was cleaner/more clear?

Anyone that has thoughts, please feel free to PM

pentaroot · January 15, 2018, 3:47am

I could use some help with the priv esc on Bashed if anyone has a few minutes.

elvskerm · January 15, 2018, 9:27pm

^^^ same here please

samson15 · January 16, 2018, 8:27am

same here

zuk3y · January 16, 2018, 9:56am

@demoniclemonz @elvskerm @samson15 Enumerate harder, i know it sounds vague, but once you find an interesting out of bounds directory, there are ways to use sudo to change user context. Root privilege and reverse shell both arent necessary here

tatzilla · January 17, 2018, 1:50am

Can I a PM anyone regarding the priv esc? Have ran LinEnum and linuxprivchecker but might have missed something, have also enumerated manually. Would be interested to talk about how root file could be read as well how to escalate to full root privileges

CtrlEsc · January 17, 2018, 11:35am

Another Bashed user bashing his head here.

I’ve clocked 24+ hours on this now. I had the rev shell running within the first hour and broke out of the www user soon after, but I cannot see for the life of me how to get beyond this. I spent 10pm till 2am this morning manually going through every file and folder, grepping for stuff, triple checking permissions.

I know the answer is always in the last place you look, but surely I am testing the physical and conceptual limits of enumeration. If @Zukey is referring to what I think they are referring to, I’ve got that done and dusted but still don’t have access to /root/root.txt and I can see nothing with SUID sticky that would empower me to get it.

Happy to go and enumerate harder, but a pointer as to what precisely to enumerate would be extraordinarily appreciated.

CtrlEsc · January 17, 2018, 11:35am

** Apologies - double post **

spotless · January 18, 2018, 12:15am

@CtrlEsc said:
** Apologies - double post **

PM me

CtrlEsc · January 18, 2018, 4:57pm

You’ve got mail.

4s1t · January 18, 2018, 6:14pm

I’ve been trying this from days but not getting root. Tried nc, tty but not working. Any hints ?

Kwicster · January 18, 2018, 10:10pm

Hey guys, another priv stuggler. So I’m almost 100% sure that i can get the flag if i could just figure out a way to upload a small python script. I can echo it into the scripts folder, but then the formatting is wrong. I’ve tried nc, ssh, FTP, curl, wget, nothing works for uploading a file. I don’t have a huge amount of experience with webservers yet which is probably the issue.

CtrlEsc · January 19, 2018, 12:23am

I can get files into and out of the machine no problems. I just can’t find a way of getting appropriate permissions (or co-opting something that has permissions) to /root/root.txt.

Thought I found the answer earlier. Wrote a nice little script to modify a key file that I seemed to have permission to write to, only to realise that I didn’t have permission to write into the parent directory I wanted.

It has been suggested I am on the right path. After 10 days of trying this on and off, I am very grateful for that understanding.

I swear, when I get that flag, it is going to feel like I’ve taken a huge /bin/sh/t.

imag1ne · January 19, 2018, 2:11pm

I feel you all; it’s hard to get started, but once you do, the flow gets better. LinEnum and pay attention to the notes and flags that are highlighted. Don’t make it harder than it needs to be, these really aren’t crazy deep.
It sounds like I used the right approach, but understanding how sudo works is handy. That is an issue for several boxes. I learned about sudo su a while ago, but I really had to go through some articles/examples to get the sudo concepts. I’ll see if I can find a good article that isn’t a complete giveaway.

hackthebox6969 · January 21, 2018, 8:41am

i have user.txt - i have uploaded the linenum script and enumerated as much as my windows brain can do…read the g0tmi1k page heaps of times - (but not sure what i am really looking for) watched a tonne of Ippsec videos and tried looking for exploits via searchspolit and tried a few - but not working…i have a full meterpreter shell …i am ok upload files successfully,…and run php files…read the forum over and over and understand riddles are there to stop spoilers - but should i keep looking for an exploit like some of the other video tutorials have ? I have read i dont need to be root to read the root.txt - but is that a fancy - linux guru way ? Any urls that will guide me would be a appreciated ? or anyone up for a PM to help be learn ?