---

• OS: Linux 🐧
• Difficulty: Easy 😇
• Release: 09 Dec 2017 📅
• IP: 10.10.10.68 💻
• Box Creator: Arrexel 😎

---

Hello there guys. Welcome to my 7th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Bashed from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.68 -r 1-65535 -- -sV -sC -Pn
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

We found HTTP port 80 open.

What is phpbash?. Well to make our life easy there is a link to the phpbash git repo. According to it “phpbash is a standalone, semi-interactive web shell”. Doing a quick directory bust identifies there is a /dev directory. This directory is where phpbash is installed on this server.

Phpbash provides a semi-interactive shell. If you like you can execute a reverse shell payload and get an interactive shell.

Post Exploitation

Going ahead looking at the sudo entries. There is a user called “scriptmanager” and we can execute any command as scriptmanager via sudo without providing the password. So I executed /bin/bash to get a bash shell.

There is an unusual folder sitting at the root of the file system.

Content in the test.py file. (File owned by scriptmanager)

Content in the test.txt (File owned by root)

testing 123!

test.txt is created as a result of executing test.py. Looking at the ownership of test.txt, it’s owned by root. This means a process running with root privileges has executed test.py. Maybe some cronjob.

Let’s add a reverse shell payload to test.py and see if we get a shell back.

Setup a listener and wait for a shell connection.

Got a shell running as root privileges.

---

I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.