HackTheBox Writeup — ScriptKiddie
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.226
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.226
I got two open Ports:
- Port 22 → Running OpenSSH 8.2p1
- Port 5000 → Running Werkzeug httpd 0.16.1
Web To User
Checking the Web on the uncommon port
A simple webpage created on python having three different tools
On the payloads section, it can be seen that it uses templates as an option which is usually used for AV Bypass, searching on Google about it , I see that it has a recent vulnerability for APK Templates
Running the python exploit
Now using the APK on the web payload section for msfvenom
After generating the payload and looking back on my tcpdump
I got pinged back from the server, so now will modify the python exploit to get reverse shell as code execution is confirmed
Used metasploit too to generated RCE apk template payload
Checking netcat listener and getting reverse shell successfully
Time to get the user flag and move towards the privilege escalation
Privilege Escalation
Checking the other user’s home directory, that is pwn user’s home directory, there is a bash script named scanlosers.sh , it can be seen that it runs a shell command which takes a input from a text file and then processes it from the third word from that text file
So I tested this script locally on my machine to confirm and I successfully was able to perform command injection
So I try the same thing on the remote machine using the same way and got reverse shell and now it can be seen that msfconsole can be run as sudo with no password
Now I will run msfconsole with sudo and since metasploit has the feature of executing system command from its console , so it can be confirmed that I have shell command execution as root as I ran the id command and got the output
Now I try to get reverse shell as root using the same way
Time to get the root flag and finish the machine