May 14, 2025

Shalinda's Blog

Subscribe

HackTheBox: Bashed [OSCP Prep]

shafdo 4 mins0
  • OS: Linux
  • Difficulty: Easy
  • Release: 09 Dec 2017
  • IP: 10.10.10.68
  • Box Creator: Arrexel

Hello there guys. Welcome to my 7th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Bashed from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.68 -r 1-65535 -- -sV -sC -Pn
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:42
Completed NSE at 23:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

We found HTTP port 80 open.

What is phpbash?. Well to make our life easy there is a link to the phpbash git repo. According to it “phpbash is a standalone, semi-interactive web shell”. Doing a quick directory bust identifies there is a /dev directory. This directory is where phpbash is installed on this server.

Phpbash provides a semi-interactive shell. If you like you can execute a reverse shell payload and get an interactive shell.

Post Exploitation

Going ahead looking at the sudo entries. There is a user called “scriptmanager” and we can execute any command as scriptmanager via sudo without providing the password. So I executed /bin/bash to get a bash shell.

There is an unusual folder sitting at the root of the file system.

Content in the test.py file. (File owned by scriptmanager)

testing 123!

test.txt is created as a result of executing test.py. Looking at the ownership of test.txt, it’s owned by root. This means a process running with root privileges has executed test.py. Maybe some cronjob.

Let’s add a reverse shell payload to test.py and see if we get a shell back.

Setup a listener and wait for a shell connection.

Got a shell running as root privileges.

shafdo

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

You May Have Missed