HackTheBox: Bashed - Writeup
date_range 15/05/2019 18:04 infosorthtblabel
HackTheBox: Bashed was more of a CTF style machine and is ranked as easy on HTB.
1.1 - Scanning
I first started by doing a port scan of Bashed (10.10.10.68).
The only port open is port 80 from the nmap scan. Firstly, dirb and Nikto is executed to enumerate the server:
2.1 - Exploitation
Dirb reveals several directories including one called
/dev. When browsing this directory there is a php file called
When clicking the
phpbash.php file a shell is opened and user is found:
3.1 - Post Exploitation
When entering the command
sudo -l it reveals that scriptmanager does not have any password. An attempt is made to switch to the
At the top of the hierarchy in
/ there is a
scripts directory which contains a python script and is owned by
scriptmanager. The script is called
test.py and outputs to a
test.txt file. This appears to be a cronjob. A python shell can be inserted into the
test.py file to get a reverse shell.
A python reverse shell is insetted into the
netcat listener is open in the background waiting for the cronjob to run:
After a few minutes a shell is opened and success! Root access gained. The root flag can then be retrieved.