HACKTHEBOX MACHINES

HTB [BASHED] [LINUX]


#htb

bashed

Enumeration

Nmap:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Directory bruteforcing:

  • /dev seems interesting to me

  • Let’s open the first one

  • Here we can able to run commands, but we can’t able to get a reverse shell
  • So let’s try to upload a php reverse shell to /uploads folder, so we can get a shell by triggering it

reverse shell:

  • Here we can able to run any command as scriptmanager

priv esc:

  • Now time for linpeas

  • Let’s see /scripts/test.txt file

  • This file is owned by root
  • Also there’s a test.py script

  • It just opens this file and writes testing 123!
  • We have the permission to modify this script
  • Ig this script runs as root every minute
  • Let’s try to read root.txt and store its contents in a new file
r = open("/root/root.txt", "r").read()
f = open("flag.txt","w")
f.write(r)
f.close
  • Now let’s wait for 1 minute

  • Cool we solved it!!


Hack The Box

It would be appreciated if you give me a respect+ on HTB