HTB - ScriptKiddie
Intro
Target
Recon
Initial recon tells us the box is running Linux, and that’s about it!
Enum
During the enum phase
|
|
|
|
From this we discover an SSH
service and a Python webserver
on port 5000. It also confirms we are facing a Linux box.
Manually browsing to the website, we find that there are 3 tools : nmap
, searchsploit
anf msfvenom
. After a few tries with ffuf
, and gobuster
, we couldn’t find anything interesting.
However, after a quick search, msfvenom
might be vulnerable.
Exploitation
Let’s test our theory and see if we can get a shell.
Getting Initial Shell
In order to do so, we will fire up MetaSploit
and generate a payload (we could also download a payload and slightly modify it).
We then upload the payload as an Android template and before submitting it, let’s not forget to start ar listener like so : nc -nlvp 9001
(or your usual port). Let’s, now, submit the request, and you should get a shell back as use kid. From here, I like to generate an ssh key and add it to the .ssh/authorized_keys
for easier access.
Once this is done, I have a proper shell and way to come back easily.
Let’s grab user
’s flag:
Pivoting
Now that we are kid user, we notice that there is also a pwn user that is running a script periodically. Even more interestingly, it uses a file owned by kid as input.
The script in question is located at /home/pwn/scanlosers.sh
and looks like below:
|
|
After a quick look at the script, we notice that it is reads the the file /home/kid/logs/hackers
, search for the third field on the line, and run an nmap
scan against this field.
Now we can trick this script into running a custom command after the nmap
’s one.
After a few trial and errors, I arrived to the following line of code :
echo "1 2 127.0.0.1';/home/kid/nc.sh;date" > /home/kid/logs/hackers
with nc.sh
being:
|
|
Don’t forget to run a listener on port 9001, in order to grab the reverse shell. I would have wanted to do the “ssh trick” for easier access, but the .ssh/authorized_keys
is owned by root… So I’ll have to make it do with the temporary shell as pwn
’s user.
PrivEsc
Now that we are pwn, let’s start by a simple sudo -l
:
msfconsole can be run as root without password…. let’s do it and cat the root
’s flag:
Outro
This was quite a fun box, with a few extra steps for an “easy” machine. It also shows that hackers can be hacked! ;)