Hack the Box – Bashed User Own

Bashed Header Image

For quite sometime now I’ve been wanting to publish the write-up to my first successful hack on Hack the Box but as part of their terms of service you aren’t allowed to publish your write-up until that machine has been retired. Now that the Bashed machine has been retired I finally can. If you haven’t already I’d recommend signing up to Hack the Box to build your hacking skills; entry to the site is not as simple as entering your details to get your account, you have to do a little work first.

The particular machine I started off with first is the Bashed machine by Arrexel. With all the machines I’ve at least tested, if not hacked successfully I’ve tried to find out more information about them. The information page on Hack the Box lists what OS the machine is running, but little else so I always start by running an Nmap scan using the command

$ nmap -sV 10.10.10.68

The addition of -sV asks Nmap to try and ascertain the version of the service it finds running which for Bashed generated

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

As the results of the scan showed it to be a web server within Firefox I typed the address 10.10.10.68 to see if any useful information was shown on the webpage. This provided me a small hint of what I’d need to crack the machine, but I still needed to find out more. One of the first tools I use to find interesting areas on web servers is the http-enum script within Nmap. To use command I entered

$ nmap –script http-enum 10.10.10.68

returning

80/tcp open http
| http-enum:
| /css/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
| /dev/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
| /images/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
| /js/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
| /php/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
|_ /uploads/: Potentially interesting folder

Luckily this isn’t too many folders and so I manually browsed though them looking for interesting material, finding that most were not that useful apart from /dev. Inside /dev are two files phpbash.min.php and phpbash.php. phpbash is an interactive web shell created by Arrexel and is available on their Github page if you want to use it elsewhere. If this was an organisation it is unlikely (although perhaps not impossible) that they would leave a web shell available for public use, but for Hack the Box it is there and never look a gift horse in the mouth. If you were looking to use this on a server you are pen testing, you would have to find a way of uploading the shell first.

Phpbash.php will show a shell that will likely be familiar; Arrexel states on the Github page it is designed in the Kali colours to make it recognisable. My first command was to see if I could navigate out of the directory I started entering

$ cd /

surprisingly I managed to leave that directory so typed

$ ls

to see what other files were available to browse at this level.

Hack the Box Bashed Directories

As I was aiming to get the ‘User Own’ this I needed to find where the hash was located. To quickly find this it helps to have a basic knowledge of the file structure of Linux. I only have a knowledge in the areas where it is similar to macOS; so is only useful to a limit. macOS places all its users within a ‘Users’ directory and each user’s directory is referred to as their ‘home’ directory. macOS does contain a ‘usr’ directory which is in our results list (apologies as usr, var and vmlinuz are not shown in the results above), but on macOS this directory is hidden and is different to the ‘Users’ directory that is not hidden. This leaves ‘home’ as the most likely lead and so I navigate to it

$cd /home

this contained two users ‘arrexel’ and ‘scriptmanager’. As Arrexel is the creator of this machine this is likely to be set as the main user on the box, so I navigate into it and find a user.txt file and viewed the contents with

$ cat user.txt

giving me the user own hash.

Lessons Learnt

The write-up I’ve done makes it appear as though I had got from start to user own in about 5 minutes, but I can honestly say this took me around 10 hours as I tried all sorts of different techniques thinking that it would be far more complicated than it was. This was also the first time I’d attempted to hack into a machine and so am likely to attempt or adapt this method first with my subsequent hacks. This has also also shown me that persistence will pay off and a technique that might seem like it was useless to perform, may actually be useful when adapted later.

Unfortunately with Bashed I have never managed to get the root own, but have done this with another machine on Hack the Box called Nibbles. Once Nibbles has been retired I look forward to publishing the write-up and the lessons I have learnt from it.