block-quote chevron-down
copy Copy chevron-down
🖥️ Hack The Boxchevron-right Old Machines chevron-right Easy Machine Bashed #Linux #Enumeration #Web-Fuzzing
Bashed is an easy-rated Linux machine from HackTheBoxarrow-up-right created by Arrexel. It is a weird machine that is open, making it pretty straightforward; you can enter there quickly and then escalate with something worth trying (I was lucky here). In the current post, my IP is 10.10.14.12, and the target’s IP is 10.129.148.58.
Copy nmap -sS -p- --open --min-rate 5000 -vvv -n -Pn 10.129.148.58 Only port 80? Just a website? A lot of default directories Add those directory to your notes, we will explore them soon. {Directories: /css/ /dev/ /images/ /js/ /php/ /uploads/}
Now we must check with our browser the structure of the website.
Browser: http://10.129.148.58
Source code of single.html , we should save it in our directory list. Browser: http://10.129.148.58/css/
We can navigate through the folders, but there is nothing here Browser: http://10.129.148.58/dev/
Phpbash, what a curious name, let’s visit them.Browser: http://10.129.148.58/dev/phpbash.php
We have… a bash? This will save us a lot of work, Time to use a reverse shell using our [BrowserTerm] at /dev/phpbash.php and a local terminal [Term]
Now your local terminal [Term] is [www-data] After this, we need a TTY Treatment to make it easier to work.
Privileges Escalation
We can use every command as “scriptmanager”? The user name is a clear clue, let’s change the user. From [www-data] to [scriptman] adasd
Searching for information, nothing relevant here. Our alternative is to follow the clue and go to scripts. So, as scriptmanager we can read and write test.py, but root is modifying test.txt… How? Wait, it changes? That means that is related to test txt, and root is executing test.py (Discovered with ls -la )
Newest content of test.py, script to allow every user to use /bin/bash as root We have the signal, perfect. That was worth to test 
