# Bashed

## Enumeration

nmap:

```
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
```

<https://github.com/Arrexel/phpbash>

ffuf:

```
/images
/php
/uploads
/css
/dev
/js
/fonts
```

After fuzzing for the phpbash.php and phpbash.min.php, I found them at /dev and could use it to get the user flag. I could also use it to upload a reverse shell and get direct access to the box.

I checked the folder permissions from the webroot down and found a folder that I can write to. I got a php reverse shell there with wget.

I am the user www-data.

sudo -l:

`scriptmanager : scriptmanager) NOPASSWD: ALL`

There is an interesting process:

2023/02/23 04:32:01 CMD: UID=0 PID=16412 | /bin/sh -c cd /scripts; for f in \*.py; do python "$f"; done

I edited the file to give me the root flag, but I have to find out how the process is executed.

I placed a python reverse shell in the python file. It was executed automatically after some time and yielded me the root reverse shell.