#1 — OSCP prep: HTB — Bashed
My walkthrough of a Hack The Box retired machine.
Machine: Bashed
IP: 10.129.202.29
OS: Linux
Difficulty: Easy
Reconnaissance
Let’s first start off by doing a Nmap scan on the target machine to find out which ports are open and what services are running on those ports.
SYNTAX:
sudo nmap -T4 -v -p- 10.129.202.29
sudo nmap -T4 -sC -sV -p80 -oN nmap_bashed.txt 10.129.202.29
From the nmap scan, we find that only port 80 is open. Let’s head over to the website and see what kind of information we can find.
We can see that this website talks about a web shell called phpbash, which was apparently developed on this web server. There is also a GitHub link for phpbash — https://github.com/Arrexel/phpbash.
There’s not much else we can see or do on this website, so let’s see if there are any other directories or files we can find using Gobuster.
SYNTAX:
gobuster dir -u <target URL> -w <wordlist> -x <extensions>
After looking through the different directories and files found from the Gobuster scan, I noticed a phpbash.php file in the dev/ directory that gives us a web shell! Through this file misconfiguration, we gain our initial access into the system.
Privilege Escalation
Now that we’ve gained user access into the system, let’s try to escalate our privileges and gain root access.
However, before moving on, let’s change from this web-based shell to a more stabilized shell. I found and used a PHP reverse shell payload from “PayloadsAllTheThings” to give myself a more functional shell to work with.
Once I get a user shell, I always first check to see if I can run commands with sudo, and it seems that I can run any command with no password using sudo as scriptmanager. I take advantage of this and spawn myself a bash shell as scriptmanager.
Looking around through the file system, I found a scripts directory that belonged to scriptmanager. Inside that directory is a test.py file that gets executed every minute, and I found this out because it was updating a text file in that same directory every minute. The text file is owned by root, which means that root is running the python script.
To take advantage of this, I modify the python script so that it sets the SUID bit of /bin/bash, which in turn will allow me to run bash as root.
We successfully gained root access to the system!