ScriptKiddie — HackTheBox Writeup


This is a practical Walkthrough of “ScriptKiddie” machine from HackTheBox. Although this machine is marked as easy level, but for me it was kinda intermediate level. Credit goes to 0xdf for making this machine available to us and base points are 20 for this machine.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.


We will kick off this machine with nmap enumeration.


Two ports are open, SSH and HTTP on custom port. Let’s visit the webpage.


Homepage consist of three distinctive tools, Nmap, MsfVenon and SearchSploit.

nmap version

If we scan any IP (localhost) it scans the given IP and gives you result on screen. It also gave us nmap version. It’s not vulnerable to anything.

Initially I also tried command injection exploit on nmap input section, but it didn’t work. I tired couple aother things but all in vain.


Then from searchsploit I checked “msfvenom” and gave this result. MSF 6.0.11 is vulnerable, there is a command injection vulnerability in msfvenom when using a crafted APK file as an Android payload template. Read more here from JustinSteven.

There’s already msf exploit module available. Set it up with respective IP:Port of yours.

Custom file is created with payload, now move this file to another location and change filename if you want.

Setup a netcat listener on kali with same port which you used in MSF.

Netcat listener

Now we need to upload this file to target server using it’s interface.

Upload APK

Select Android, give any IP, browse to and select the APK file and then click on generate. In a minute you’d get a reverse shell on kali.

user flag

So, If you are wondering how we’d get a reverse shell then there’s an explanation here. Please read to understand.

Now we got initial access, let’s move around and find ways to escalate privileges.

Another User

As you can see from passwd file, there’s another user called “pwd” with “1001” ID, it’s privileged user than “kid” user.

In “pwn” home directory, there’s a script file.

script file

The script is taking input from hackers file from kid user and running a Dash (sh -c) command to run nmap on IPs from hackers file.

hackers file

We can modify/write to hackers file. Let’s inject our own command to get a reverse shell. Make sure to setup a netcat listener before you execute below command.

write to hackers file.

We are a writing hackers file with our own one-liner and commenting out at end to ignore the rest of the command. Make sure to give double space before “;”.

pwn user

We got the reverse shell. Let’s find there are any binaries for this user to run with/without password.

sudo binary

Jackpot, there’s msfconsle binary which we can run with sudo. As you already know msfconsole is a centralized console, that means it can access file system and can run any commands from its own console.

access msfconsole

Once you are inside msfconsole, you can directly access the root.txt or you execute /bin/bash to get the shell.

root flag.

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Morning After: Cryptocurrency may be more centralized than you thought

Yara Write up

Is Internet Freedom Under A Threat. What About Your Data Security? — Vannie Sloune Finance Blog

ZenTask — The Platform Web3 Needs

How Workforce Management Software helps Security Guard Companies

The First Year Of The Cypherpunk Guild

The Mass Exodus Continued:


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aniket Badami

Aniket Badami

More from Medium

(THM) — How I Met (and destroyed) Your Paywall; Walking an Application

TryHackMe: [Day 2] Web Exploitation Elf HR Problems

Hack the Box: Optimum — Writeup

Mnemonic THM Writeup