top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

Bashed - HackTheBox Walkthrough



Linux . Easy

Created by Arrexel

 Released on 09 Dec 2017


Welcome Reader, Today we'll hack Bashed from HackTheBox. Let's start with a Nmap Scan.


Nmap Scan

It's an Ubuntu machine with only one port(80) open with Apache 2.4.18 running. Let's take a look at the website.



A quick Google search on Phpbash reveals a Github repository containing source code and some interesting information.


Phpbash is a standalone, semi-interactive web shell. It's main purpose is to assist in penetration tests where traditional reverse shells are not possible. The design is based on the default Kali Linux terminal colors, so pentesters should feel right at home.

Looking through the repository I found this.



There's a phpbash file under /uploads which could let users execute commands on the system. Going over to /uploads/phpbash.php gives "page not found". The /uploads directory does exist. Let's do directory fuzzing and see if we can find the phpbash file using Gobuster.


Directory Fuzzing


Going over to the /dev directory list some php files.



FOOTHOLD

There's the phpbash file we were looking for let's open it.



We successfully achieved command execution as www-data. Let's get a reverse shell. I used this Python3 command for the reverse shell from Revshells.



Don't forget to change the IP and port (optional). Fire up the Netcat listener and execute the command.



Lateral Movement

I always do manual enumeration before running automated scripts. This user can run all commands as Scriptmanager.



We can use the following command to spawn a shell as user Scriptmanager.



User Flag


ROOT

Using Pspy which enumerates cron jobs. I found a test.py file under the /scripts folder which is running as a root user every minute.



We can see the test.py file is running every minute. We can place the same Ptyhon3 reverse shell command to pop a shell as a root user. Here is my modified /scripts/test.py file.



Now we have to wait for the file to execute and we should receive a reverse shell as a root user.



Thanks for reading. If you have any questions please don't hesitate to ask me.

14 views0 comments

Recent Posts

See All

コメント


bottom of page