Bashed — HTB Machine
New day new machine!!!!
Let’s get started with this old machine named bashed…..
So we have the IP let’s fire up some nmap commands to do the enumeration …….
As we can see there is only one port open on the machine which is port 80 for an http service….
First thing to do is visit the page and find if something can be used and on the side we can run a dirsearch or gobuster whichever directory enumerator you like you can start enumeration based on that.
as i have this running in the background lets visit the page and see what it looks like……
A dev site with a cool background it seems let’s have a look at the source page and also check your dir enumeration scan if it has caught anything interesting to look at…
I went to /dev page and then I got two files listed where i clicked on
phpbash.php
It sort of spawned me a web shell
from where i got the user flag easily I could run a command and ge ta reverse shell on my machine but let us try to get the root flag from here only….
Due to no tty shell I couldn’t do much here but okay I can still try the uploads pag eot upload something and then run the particular file to get a revere shell
I got the php reverse shell ready (meaning i changed the IP to mine and selected the port where nc will run on my machine)
If you want you can download the file form this link :
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
now I uploaded it on the uploads directory by doing wget in the web shell
Now we are ready to shoot for the root access :
first thing i noticed was by doing sudo -l
I got this………….
Meaning i can run anything as this user (scriptmanager) so let’s change our user from www-data to scriptmanager for some sort of vertical escalation.
the command i ran was
sudo -u <username> bash
Upon runing linpeas.sh I found this
let’s give it a visit
Now look here the file is being written by test.py but it is submitted as being written by root meaning this action is run under roots privilege meaning if we can use this to do something then we can run anything as root user. Even spawn a root shell.
First i grabbed a python script to spwan a reverse shell on my machine as root and then edit it in my notepad and then paste it using echo in the test.py
lets wait for the reverse shell here
but it was not working because i did a mistake, see in the image if you can find the mistake in this image below:
after fixing the small mistake i received the shell on my machine
The mistake it did was “ with usign echo you have to keep in mind that there is no “” in the text you want to input or if there is then use echo ‘ instead of echo “ which was my problem here as well
At first i used this ehco “…….” making my code’s ip part escape the required “<IP>” but when i did echo ‘….’ this helped in solving the issue and i got the reverse shell…
My review:
The machine is super fun and easier to solve, the user flag is a piece of cake and root flag was not tough either but i did loose the shell quite a few times….
