LinkedIn GitHub Twitter

HTB - ScriptKiddie

NMAP

We will start with NMAP -

nmap -sC -sV -p- -oN full_nmap_tcp -v -Pn 10.10.10.226
PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|\_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)

5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|\_ Supported Methods: HEAD GET POST OPTIONS
|\_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|\_http-title: k1d'5 h4ck3r t00l5

[...]

Enumeration

Since SSH is secure service and not much attack surface, we will start with port 5000.

Port 5000

We see Python Web framework - Werkzeug/0.16.1 Python/3.8.5

Looking at the functionality, we can generate Shell, perform NMAP scan and look for exploits via Searchsploit. This looks like "frontend" of the Metasploit framework.

We also see that the web page is accepting template file while generating payloads

Quick google search on MSFVenom and Template, we come across CVE-2020-7384 Reference - https://www.exploit-db.com/exploits/49491

We can inject our own payload and when MSFvenom generates payload, the payload is executed.

Exploitation

Initial Foothold

Exploiting CVE-2020-7384

We will download the exploit code and input attacker ip and port on the prompt -

Install jarsigner if it is not installed -

sudo apt-get install default-jdk

The exploit.apk is generated and we start the netcat listener -

Upload apk to work-

Once uploaded exploit.apk and click generate

Reverse Shell -

Make shell stabilize by inserting our SSH public key in /home/kid/.ssh/authorized_keys

SSH to target as user kidwith SSH key -

Privilege Escalation

Exploiting intended functionality -

We see another user pwn in the system and we can access their home directory. Browsing to the /home/pwn/ we see scanlosers.sh script.

Looking at the script, we see it is calling /home/kid/logs/hackers which own'd by our current user kid -

Let's dissect the scanlosers.sh script line by line and see if we can own user pwn --

Looking at permissions, we can read/write /home/kid/logs/hackers. This is the one we can control.

The core of the scanlosers.sh script is the nmap command which is ran using shell script sh. So if we overwrite that using the $log file we control, we can use bash magic and append our payload.

Also, looking at the "cut" command in the script, it is grabbing text from log file after second white space

So we can stuff our payload as -

echo -n "blah blah ;/home/kid/logs/rev.sh #" > hacker
cat $log | cut -d' ' -f3- | sort -u
;/home/kid/logs/rev.sh #

Finally, at last line in the scanlosers.sh script, we see a if condition in the last line that if the line count is more than 0, then the file is overwritten with nothing by script itself.

To overcome this, we can use "echo -n" so there is no "new line" or "line break" inserted.

We get shell as pwn -

Looking at sudo -l output for pwn, we see they can /opt/metasploit-framework-6.0.9/msfconsole as SUDO without password -

Proof

PreviousTryHackMe - Vulnnet

Last updated