Close

Writeup – HTB – Bashed

Now this was a fun change from the last one, and marks box #6 in my OSCP Prep. I had done this box some months ago and it was fun to play with again and re-remember how to do it.

Here’s the nmap scan:

Sweet! Only one port! Should be easy, right?

Browsing, we get a blog, and it mentions a php bash shell that arrexel developed on this very server! That has to be promising!

Kicking off a dirsearch, we indeed find some interesting directories.

A dev folder certainly looks promising!

And now we have a shell.

We quickly see that we can run commands as the user ‘scriptmanager’ with no password, and we can browse around. www-user is enough to get us into arrexel’s directory and find the user flag.

But how to get the pesky root flag? Well, let’s see what the scriptmanager user can do.

What’s that folder down there?

Of particular interest is this scripts folder in the root of the server. Looking inside the directory we find a test.py and a test.txt. Don’t forget to look in the directory as scriptmanager otherwise you won’t be able to see anything.

test.txt is only writable by root…
Here’s test.py

All the test.py script does it write to test.txt. But as you can see above, it must be doing it with root permissions as test.txt is only writable by root. It’s trivial to modify the python script to get the contents of root.txt and write them out for us.

Now just wait for the script to be run (cron job) and poof, you’ve got your root flag!

Easy day!

This was a fun box. I look forward to moving on to more! Video to follow shortly!