HTB - ScriptKiddie
Initial recon tells us the box is running Linux, and that’s about it!
During the enum phase
From this we discover an
SSH service and a
Python webserver on port 5000. It also confirms we are facing a Linux box.
Manually browsing to the website, we find that there are 3 tools :
msfvenom. After a few tries with
gobuster, we couldn’t find anything interesting.
However, after a quick search,
msfvenom might be vulnerable.
Let’s test our theory and see if we can get a shell.
Getting Initial Shell
In order to do so, we will fire up
MetaSploit and generate a payload (we could also download a payload and slightly modify it).
We then upload the payload as an Android template and before submitting it, let’s not forget to start ar listener like so :
nc -nlvp 9001 (or your usual port). Let’s, now, submit the request, and you should get a shell back as use kid. From here, I like to generate an ssh key and add it to the
.ssh/authorized_keys for easier access.
Once this is done, I have a proper shell and way to come back easily.
Now that we are kid user, we notice that there is also a pwn user that is running a script periodically. Even more interestingly, it uses a file owned by kid as input.
The script in question is located at
/home/pwn/scanlosers.sh and looks like below:
After a quick look at the script, we notice that it is reads the the file
/home/kid/logs/hackers, search for the third field on the line, and run an
nmap scan against this field.
Now we can trick this script into running a custom command after the
After a few trial and errors, I arrived to the following line of code :
echo "1 2 127.0.0.1';/home/kid/nc.sh;date" > /home/kid/logs/hackers
Don’t forget to run a listener on port 9001, in order to grab the reverse shell. I would have wanted to do the “ssh trick” for easier access, but the
.ssh/authorized_keys is owned by root… So I’ll have to make it do with the temporary shell as
Now that we are pwn, let’s start by a simple
sudo -l :
msfconsole can be run as root without password…. let’s do it and cat the
This was quite a fun box, with a few extra steps for an “easy” machine. It also shows that hackers can be hacked! ;)