GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Bashed (HTB)
3 min read

Writeup - Bashed (HTB)

Writeup - Bashed (HTB)

This is a writeup for the Bashed machine from the HackTheBox site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

One TCP port are discovered:

  • 80/tcp : HTTP web server (Apache 2.4.18)


First, I start by scanning the site's folders.

Quite a few things and in particular the /dev folder which contains the 2 following files:

After some research they correspond to the following project: phpbash. Globally it is a cmd directly integrated in a web page. So I go to the page and start to look if there are interesting things:

Rather fast, we can already get the first flag!

Privilege escalation

Although functional, the cmd in the browser remains limited. So I upload a PHP reverse shell in the html/uploads folder.

I now have a reverse and I can check the sudo permissions of my user.

So he has the authorization to execute any command as scriptmanager. So I search for files/scripts on the machine and find the /scripts. I check the permissions with the following command:

Looking at the content of the script I realize that there is an automatic execution of the script by the root user. Indeed the file test.txt belongs to root and was created a short time ago.

f = open("test.txt", "w")
f.write("testing 123!")

So I modify the script with the following program:

import socket,subprocess,os

After a few minutes, I have a reverse shell root and I can recover the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Do not run phpbash.php directly on the machine, use containers to isolate it for example
  • Reduce the permissions of the user hosting the applications to a strict minimum
  • Do not run a script automatically as root if it can be modified by other users

Owned Bashed from Hack The Box!
I have just owned machine Bashed from Hack The Box