Hack The Box :: Bashed

PHP unrestricted web shell

Run NMAP

Only a web server. Running dirb on it

We find a dev folder. That folder has php scripts that allows pretty much aly command. But looks like it spawns a shell for each command we run. So no persistence.

Lets first get a persistent reverse shell using a php reverse shell.

After looking around looks like root is running a script test.py owned my scriptmanager every minute.

If we replace the code of that script we can have root run anything. Lets replace it with a python reverse shell.

Listen for the connection back.

We have root !