Bashed
Last updated
Last updated
Bashed is a retired Easy level box from Hack the Box that many who are taking the OSCP attempt to solve in preparation for the exam. I personally used this box as one of the first boxes I attempted in my journey. If you are looking to prepare for the OSCP, I would highly recommend TJNull's list linked here.
With all that said, let's jump in.
As with most boxes we'll cover here, we'll start off with an nmap scan. The most common version of the scan I run to kick off an assessment is listed below. If you would like to dig deeper into what each flag means, I would recommend using the nmap man page listed here
We only see a web server on the initial scan so let's navigate to it and see what is there.
We see an initial page detailing phpbash a webshell framework we can delve deeper into by clicking on the post. Since there doesn't seem to be much else, let's try some directory bruteforcing via gobuster.
After poking around in a few of the interesting directories like uploads and php, we see what appears to be the phpbash program in the dev folder.
Since we are limited in our access with this webshell, we'll attempt to get a full reverse shell via one of the shells at pentestermonkey and set up a listener.
We can run some recon scripts now that we have full access. LinEnum or LinPEAS are some popular choices to run.
After performing a simple check on what we can sudo as we see this:
By running sudo -u scriptmanager bash,we gain access as scriptmanager.
Next, we perform our local enumeration again by running LinEnum and doing some looking around. Looking through the results we see a script that is creating a file owned by root.
By editing the file, we can gain a reverse shell as root.
Congrats! We now own the box and can grab all the hashes!
