Hack The Box (Bashed)

By: Nicholas Werner

Starting off with nmap scans.

Using searchsploit to see if there are any remote exploits for Apache 2.4.18

Going to 10.10.10.68 to see what’s up.

Using dirbuster to enumerate files and directories.

Looks like I found a directory that seems interesting.

Clicked on phpbash.php and it gave me a shell.

I was able to navigate this shell to get the user flag.

I see that I might be able to access scriptmanager without a password.

I try to go into the scriptmanager folder and there is nothing there so I try to escalate privileges into scriptmanager and it looks like it need a tty shell.

There also appears to be an uploads folder so we may be able to upload a reverse shell.

I decide to use a php reverse shell.

I upload the reverse shell.

Open a listener so that I can create a shell.

Now our listener has opened a shell.

I still need a tty shell.

I want to use this first command right in my shell that I just created.

This eventually allowed me to escalate my privileges into scriptmanager.

The only folder that scriptmanager can access is scripts which is also an unusual folder to see.

Since the scripts folder contains a python script I figure that we can use a python reverse shell to escalate privileges to root.

I found a python script so I copy it into a file and change a couple of things and save it.

I open up a netcat listener and a simplehttpserver like before so that when I upload my python reverse shell I will be able to get another shell that should give me root access.

After this, netcat should have created a shell and you can grab the root flag from there.