Post

HTB Linux Easy: Bashed

Bashed is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Bashed

Nmap scan

Pasted image 20240715102834.png

Initial Foothold

Enumerate http (port 80)

Perform directory busting using Dirsearch. Pasted image 20240715102828.png

In the /dev endpoint we find the phpbash.php script. Pasted image 20240715102823.png

Use the following Python reverse shell payload to get a reverse shell. Pasted image 20240715102819.png

Your nc listener should have turned into a shell. Pasted image 20240715102815.png

Lateral movement

Sudo -l reveals an easy way to escalate to the scriptmanager user: Pasted image 20240715102810.png

Priv Esc

Checking for files owned by the scriptmanager user, we find the test.py script: Pasted image 20240715102806.png

Checking for the permissions of the files we notice that the test.txt file is owned by root Pasted image 20240715102802.png

Looking at the content of the test.py file we see that it writes to the test.txt file. This means that the test.py script is being ran by root in a cron job every minute. Pasted image 20240715102753.png

To get a root shell we can change the content of the test.py file to a Python reverse shell. Pasted image 20240715102749.png

After waiting for around a minute our nc listener should’ve turned into a shell. Pasted image 20240715102746.png

User.txt

Pasted image 20240715102742.png

Root.txt

Pasted image 20240715102737.png

You have PWNED

Pasted image 20240715102732.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.