ScriptKiddie — HackTheBox Writeup

Source

This is a practical Walkthrough of “ScriptKiddie” machine from HackTheBox. Although this machine is marked as easy level, but for me it was kinda intermediate level. Credit goes to 0xdf for making this machine available to us and base points are 20 for this machine.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Enumeration

We will kick off this machine with nmap enumeration.

Nmap

Two ports are open, SSH and HTTP on custom port. Let’s visit the webpage.

homepage

Homepage consist of three distinctive tools, Nmap, MsfVenon and SearchSploit.

nmap version

If we scan any IP (localhost) it scans the given IP and gives you result on screen. It also gave us nmap version. It’s not vulnerable to anything.

Initially I also tried command injection exploit on nmap input section, but it didn’t work. I tired couple aother things but all in vain.

searchsploit

Then from searchsploit I checked “msfvenom” and gave this result. MSF 6.0.11 is vulnerable, there is a command injection vulnerability in msfvenom when using a crafted APK file as an Android payload template. Read more here from JustinSteven.

There’s already msf exploit module available. Set it up with respective IP:Port of yours.

Custom file is created with payload, now move this file to another location and change filename if you want.

Setup a netcat listener on kali with same port which you used in MSF.

Netcat listener

Now we need to upload this file to target server using it’s interface.

Upload APK

Select Android, give any IP, browse to and select the APK file and then click on generate. In a minute you’d get a reverse shell on kali.

user flag

So, If you are wondering how we’d get a reverse shell then there’s an explanation here. Please read to understand.

Now we got initial access, let’s move around and find ways to escalate privileges.

Another User

As you can see from passwd file, there’s another user called “pwd” with “1001” ID, it’s privileged user than “kid” user.

In “pwn” home directory, there’s a script file.

script file

The script is taking input from hackers file from kid user and running a Dash (sh -c) command to run nmap on IPs from hackers file.

hackers file

We can modify/write to hackers file. Let’s inject our own command to get a reverse shell. Make sure to setup a netcat listener before you execute below command.

write to hackers file.

We are a writing hackers file with our own one-liner and commenting out at end to ignore the rest of the command. Make sure to give double space before “;”.

pwn user

We got the reverse shell. Let’s find there are any binaries for this user to run with/without password.

sudo binary

Jackpot, there’s msfconsle binary which we can run with sudo. As you already know msfconsole is a centralized console, that means it can access file system and can run any commands from its own console.

access msfconsole

Once you are inside msfconsole, you can directly access the root.txt or you execute /bin/bash to get the shell.

root flag.

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.