Hack The Box :: Bashed
Published in
2 min readMay 2, 2020
PHP unrestricted web shell
Run NMAP
Only a web server. Running dirb on it
We find a dev folder. That folder has php scripts that allows pretty much aly command. But looks like it spawns a shell for each command we run. So no persistence.
Lets first get a persistent reverse shell using a php reverse shell.
After looking around looks like root is running a script test.py owned my scriptmanager every minute.
If we replace the code of that script we can have root run anything. Lets replace it with a python reverse shell.
Listen for the connection back.
We have root !