Bashed

Personal Rating: Easy

Enumeration

nmap:

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

https://github.com/Arrexel/phpbash

ffuf:

/images
/php
/uploads
/css
/dev
/js
/fonts

After fuzzing for the phpbash.php and phpbash.min.php, I found them at /dev and could use it to get the user flag. I could also use it to upload a reverse shell and get direct access to the box.

I checked the folder permissions from the webroot down and found a folder that I can write to. I got a php reverse shell there with wget.

I am the user www-data.

sudo -l:

scriptmanager : scriptmanager) NOPASSWD: ALL

There is an interesting process:

2023/02/23 04:32:01 CMD: UID=0 PID=16412 | /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done

I edited the file to give me the root flag, but I have to find out how the process is executed.

I placed a python reverse shell in the python file. It was executed automatically after some time and yielded me the root reverse shell.

Last updated