Another box from the the legendary OSCP-like box list from TJNull. In this box, Bashed, we get a look at some good old fashioned php. Bashed is very straightforward but it taught a few things that I honestly was scratching my head over for a few minutes until I figured out my mistake. There is not much to lose track of, a single port is open, no rabbit holes, but rather, can you manipulate what is in front of you.
In a nutshell, we find a webserver on port 80, run a gobuster scan and find a /dev directory. From there we’re able to load the php and grab the user flag. Next we’ll need a legitmate shell rather than a web shell so we upload a backdoor to the /uploads directory and execute it. The rest is fairly simple, some privesc and root.
As for the OSCP what did this box teach me:
- Use goBuster, enumerate!
- Using the
whichcommand to find out if
wget, curl, nc, bash and pythonare on the box
- How to use
- How to properly configure a privesc shell
Walkthrough for Bashed
The IP for Bashed is
First step as always is a nmap scan of the target host:
(forgive the double -sC 🙂 )
After our initial results came back we also ran scans on allports and UDP. Nothing to report.
Our initial scan returns just one port:
80/tcp open http
First step for me is to visit port 80 and see if there are any clues or indications of what are next steps are.
Not much going on here, so I decide to run a goBuster scan on the webserver and see if anything catches my eye
The Gobuster scan returns some interesting directories:
When I visited the uploads the directory, I was met with a blank page which was my first clue that maybe I can put something in here and run it
Second I visited dev:
phpbash.php led me to a webshell:
Before I even thought about getting my own shell, I wanted to see what I could grab from this.
With the user flag secured, now I can get to work on getting a proper shell.
As I mentioned earlier there wasn’t effort in getting the shell up and running. I knew I could place files in the upload directory so it was a matter of how do I get files on to this box. I used a simple HTTP server from python which allows me to quickly host files on webserver.
The syntax (for Python3) is:
python3 -m http.server [port number]
So what I did was, I googled really solid backdoor php shell:
This one to be exact. I edited the port and ip as per the instructions and saved it as
shell.php in my
/htb/bashed folder. This is also where I spun up my http server.
You can see that I checked the box to see if
wget was available, if they weren’t I’d have to get crafty nut luckily
wget was good to go. Once the file was uploaded, I spun up a
nc -lvnp 443 on my terminal and went to
http://10.10.10.68/shell.php . I got a callback and we were in business.
Next step, make this a more interactive shell:
python -c 'import pty;pty.spawn("/bin/sh")'
Now that I had the user flag, a shell up as a low privileged user, I had to think about my next steps. I didn’t want to use LinEnum because I really wanted to work through this one on my own. So first, I wanted to check what commands I can run as sudo.
Since I know I can run as scriptmanager without a password I decided to switch right away
So what happened here? Well
sudo -l told me I can use
sudo to run all commands as scriptmanager. So I used
sudo -i which according to the manual for sudo allows me to login and the
-u allows me to specify the user.
Unfortunately we are not out of the woods yet. Luckily for us scriptmanager had access to a scripts folder that led us to another clue. Inside the scripts folder were two files, one test.py and one test.txt; test.py was owned by us and test.txt was owned by root.
After further investigation it was realized that the python script is being run every minute as part of a cronjob. So if I could rewrite the contents of test.py to give me a root shell then it would execute. I tried using vi to edit test.py on the fly but ran into so much trouble. I decided to actually remove test.py and upload my own malicious version.
See the difference now
All we had to do now was wait for the cronjob, if you’re impatient you could execute the script yourself.
And that’s it. Very straightforward that reinforced some fundamentals of pentesting. I had fun knocking this one out but I think I will do a more difficult one next time round.