Bashed HTB Writeup

Viren Saroha

5 min readJun 29, 2021

Hi everyone, this is my writeup for box “Bashed” found on HackTheBox .

Nudge Section :

Visit /dev to get WebShell,
Upload php-reverse-shell in /uploads directory from phpbash WebShell to get reverse shell,
Change the code in test.py with that of reverse shell to escalate privileges to root.

Machine IP Address : 10.10.10.68

Part 1 : Recon

1. Starting off with an Nmap Scan to get information about the open ports.

nmap -sC -sV -Pn 10.10.10.68

We get the following results from the nmap scan:

We have only 1 port open.

Port 80 : Running Apache 2.4.18

2. Before Enumerating further let’s run a gobuster scan.

gobuster dir -u http://10.10.10.68/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -e

We get some interesting directories from the scan.

/uploads , /php and /dev

Part 2: Enumeration

Let’s begin our enumeration by visiting the webpage on port 80

Clicking on the arrow and phpbash on first page leads us to http://10.10.10.68/single.html. There, we can find a link to a GitHub repository ( https://github.com/Arrexel/phpbash ) explaining that phpbash is a standalone, semi-interactive web shell.

Visiting the Github repository link ( https://github.com/Arrexel/phpbash ) give us juicy information on how to access the shell.

As visible in the screenshot (on the github page) the WebShell is in the uploads directory, Also we got the same directory listed in the gobuster scan.

BUT!! visiting the /uploads directory showed a blank page. Don’t worry let’s visit the other interesting directory we got from gobuster scan.

On visiting the /dev directory we get the index listed for the WebShells.

Part 3 : Getting User Flag

Visiting the WebShells we got from the /dev directory we got a shell as Apache’s default user www-data. Now let’s try to get the user flag.

We get the user flag by looking into the arrexel directory .

Part 4 : Getting Root Flag

Now let’s try for privilege escalation. Running the sudo -l command gives us some juicy information Let’s take note of it for later use.

Now let’s try to get linPeas.sh in order to get information for privilege escalation. I tried several ways ( wget, curl, git clone, upload functionality of phpbash ) to get the script But I got no success. So I started manually enumerating the box and also thinking about getting a reverse shell to our host machine.

As I was stuck at this point So, I took a break and decided to come back later.

I started again by going through the gobuster scan. I got a php file in the /php directory But it was also a dead end.

Now we are left with /uploads directory. So I thought what if we could create a file in /uploads directory using the WebShell and access it by visiting through url and BINGO!! we can do that. Now let’s upload a php reverse shell.

Now it’s time to get a reverse shell….Don’t forget to start NetCat listener on your machine.

First of all let us make the shell stable by using :

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’.

Remember the result we got from sudo -l. So change the user to scriptmanager by using

sudo -u scriptmanager bash

Now let’s try to further enumerate the box.

The scripts directory stands out so let’s take a look into it.

Taking a look at test.py we can conclude that both test.txt and test.py are interrelated.

Observe that the test.txt file is owned by root think what if we could add a reverse shell code in test.py and the reverse shell we will get will run as root!! So let’s remove the original test.py file and replace it with a test.py created by us in our local machine which contains reverse shell code.