ScriptKiddie — HackTheBox Writeup
This is a practical Walkthrough of “ScriptKiddie” machine from HackTheBox. Although this machine is marked as easy level, but for me it was kinda intermediate level. Credit goes to 0xdf for making this machine available to us and base points are 20 for this machine.
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
Enumeration
We will kick off this machine with nmap enumeration.
Two ports are open, SSH and HTTP on custom port. Let’s visit the webpage.
Homepage consist of three distinctive tools, Nmap, MsfVenon and SearchSploit.
If we scan any IP (localhost) it scans the given IP and gives you result on screen. It also gave us nmap version. It’s not vulnerable to anything.
Initially I also tried command injection exploit on nmap input section, but it didn’t work. I tired couple aother things but all in vain.
Then from searchsploit I checked “msfvenom” and gave this result. MSF 6.0.11 is vulnerable, there is a command injection vulnerability in msfvenom when using a crafted APK file as an Android payload template. Read more here from JustinSteven.
There’s already msf exploit module available. Set it up with respective IP:Port of yours.
Custom file is created with payload, now move this file to another location and change filename if you want.
Setup a netcat listener on kali with same port which you used in MSF.
Now we need to upload this file to target server using it’s interface.
Select Android, give any IP, browse to and select the APK file and then click on generate. In a minute you’d get a reverse shell on kali.
So, If you are wondering how we’d get a reverse shell then there’s an explanation here. Please read to understand.
Now we got initial access, let’s move around and find ways to escalate privileges.
As you can see from passwd file, there’s another user called “pwd” with “1001” ID, it’s privileged user than “kid” user.
In “pwn” home directory, there’s a script file.
The script is taking input from hackers file from kid user and running a Dash (sh -c) command to run nmap on IPs from hackers file.
We can modify/write to hackers file. Let’s inject our own command to get a reverse shell. Make sure to setup a netcat listener before you execute below command.
We are a writing hackers file with our own one-liner and commenting out at end to ignore the rest of the command. Make sure to give double space before “;”.
We got the reverse shell. Let’s find there are any binaries for this user to run with/without password.
Jackpot, there’s msfconsle binary which we can run with sudo. As you already know msfconsole is a centralized console, that means it can access file system and can run any commands from its own console.
Once you are inside msfconsole, you can directly access the root.txt or you execute /bin/bash to get the shell.
We got all the flags required to complete this machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
