Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. Bashed is an easy to hack box and is meant for beginners. However, easy it may be, it gives a solid foundation for a beginner to progress. It is unstable and the hint to crack the box is found in the name itself.
We will use the following tools to pawn the box on a Kali Linux box
Step 1 – Scanning the network
As an initial step, before the machine is exploited, it needs to be scanned and investigated.
This is important to determine what can be exploited afterwards. It is always better to spend time on this phase to extract maximum information.
Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.
Use the following command to get a basic idea of what we are scanning
nmap -sV -sC -A 10.10.10.68
-sV: Probe open ports to determine service/version info
-sC: Default script sets
-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute
10.10.10.68: IP address of the BASHED box
We can see that there is only one open port:
Port 80. TCP/HTTP
Step 2 – Exploring the IP address
In the address bar of the browser we visit the IP address of the Bashed box 10.10.10.75. We get to see a page which appears as a blog. It says that it is being developed on the server, so we might find a shell.
To move further, we enumerate the directories. A list of directories is obtained, and the most enticing one is the dev directory.
At 10.10.10.68/dev this dev directory leads to another page. On this page we find a payload phpbash.php.
Hooray! Through this payload we get a metapreter session!
Step 3 – Reverse PHP shell
The following is the terminal:
A listener is set at
root@kali:~# nc -nlvp 1234
Next, a reverse python shell is echoed and uploaded using the given commands in the video.
/var/www/html/uploads# mv php-reverse-shell.txt php-reverse-shell.php
A python file is imported to spawn the system.
Step 4 – Looking for the user.txt flag
Following command is used to list all the files/folders
Let’s move to the home folder and see what can be found
The following command is used to read the user.txt file
Step 5 – Looking for the root.txt flag
Now look for flag root.txt.
We find that with the username “scriptmanager” we can run any command. In the scripts folder we find a python script owned by scriptmanager and a text file owned by root. As scriptmanager, I overwrite the script.
Congrats! You found both flags!