Bashed — HTB Machine

Rishabh Rai
5 min readJan 7, 2024

New day new machine!!!!
Let’s get started with this old machine named bashed…..
So we have the IP let’s fire up some nmap commands to do the enumeration …….

As we can see there is only one port open on the machine which is port 80 for an http service….

First thing to do is visit the page and find if something can be used and on the side we can run a dirsearch or gobuster whichever directory enumerator you like you can start enumeration based on that.

as i have this running in the background lets visit the page and see what it looks like……

A dev site with a cool background it seems let’s have a look at the source page and also check your dir enumeration scan if it has caught anything interesting to look at…

I went to /dev page and then I got two files listed where i clicked on
phpbash.php

It sort of spawned me a web shell
from where i got the user flag easily I could run a command and ge ta reverse shell on my machine but let us try to get the root flag from here only….
Due to no tty shell I couldn’t do much here but okay I can still try the uploads pag eot upload something and then run the particular file to get a revere shell

I got the php reverse shell ready (meaning i changed the IP to mine and selected the port where nc will run on my machine)

If you want you can download the file form this link :
https://pentestmonkey.net/tools/web-shells/php-reverse-shell

now I uploaded it on the uploads directory by doing wget in the web shell

Now we are ready to shoot for the root access :
first thing i noticed was by doing sudo -l
I got this………….

Meaning i can run anything as this user (scriptmanager) so let’s change our user from www-data to scriptmanager for some sort of vertical escalation.

the command i ran was
sudo -u <username> bash

Upon runing linpeas.sh I found this

let’s give it a visit

Now look here the file is being written by test.py but it is submitted as being written by root meaning this action is run under roots privilege meaning if we can use this to do something then we can run anything as root user. Even spawn a root shell.

First i grabbed a python script to spwan a reverse shell on my machine as root and then edit it in my notepad and then paste it using echo in the test.py

lets wait for the reverse shell here

but it was not working because i did a mistake, see in the image if you can find the mistake in this image below:

after fixing the small mistake i received the shell on my machine

The mistake it did was “ with usign echo you have to keep in mind that there is no “” in the text you want to input or if there is then use echo ‘ instead of echo “ which was my problem here as well
At first i used this ehco “…….” making my code’s ip part escape the required “<IP>” but when i did echo ‘….’ this helped in solving the issue and i got the reverse shell…

My review:
The machine is super fun and easier to solve, the user flag is a piece of cake and root flag was not tough either but i did loose the shell quite a few times….

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..

CONNECT WITH ME 🔗💻

--

--

Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.