HackTheBox Writeup — ScriptKiddie

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.226

Port Scan / Enumeration

I got two open Ports:

  • Port 22 → Running OpenSSH 8.2p1
  • Port 5000 → Running Werkzeug httpd 0.16.1

Web To User

Checking the Web on the uncommon port

A simple webpage created on python having three different tools

On the payloads section, it can be seen that it uses templates as an option which is usually used for AV Bypass, searching on Google about it , I see that it has a recent vulnerability for APK Templates

Running the python exploit

Now using the APK on the web payload section for msfvenom

After generating the payload and looking back on my tcpdump

I got pinged back from the server, so now will modify the python exploit to get reverse shell as code execution is confirmed

Used metasploit too to generated RCE apk template payload

Checking netcat listener and getting reverse shell successfully

Time to get the user flag and move towards the privilege escalation

Privilege Escalation

Checking the other user’s home directory, that is pwn user’s home directory, there is a bash script named scanlosers.sh , it can be seen that it runs a shell command which takes a input from a text file and then processes it from the third word from that text file

So I tested this script locally on my machine to confirm and I successfully was able to perform command injection

So I try the same thing on the remote machine using the same way and got reverse shell and now it can be seen that msfconsole can be run as sudo with no password

Now I will run msfconsole with sudo and since metasploit has the feature of executing system command from its console , so it can be confirmed that I have shell command execution as root as I ran the id command and got the output

Now I try to get reverse shell as root using the same way

Time to get the root flag and finish the machine

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store