CTF Walkthroughs, Hack The Box

Hack The Box – SkriptKiddie Walkthrough

Introduction

This was an easy Linux machine that involved exploiting a vulnerability in MSFVenom to gain remote code execution, a misconfigured Bash script to escalate to the “pwn” user, and a Sudo rule to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has found port 22 (SSH) and 5000 (HTTP) as open. The next step will be to start enumerating HTTP.

Enumerating HTTP

The following page is displayed when accessing the web server through a browser:

The web application allows to execute Nmap, MSFVenom and SearchSploit through the graphical interface.

It looks like the Nmap tool will only accept a valid IP address, and to be able to execute code remotely extra flags are required:

The sploits functionality won’t accept any special characters, so this cannot be exploited by interrupting the command and performing command injectioon:

Doing some research about MSFVenom command injection:

It looks like MSFVenom is affected by a vulnerability that can allow attackers to craft a malicious APK file and provide it as a template, when MSFVenom compiles the payload, if the APK file contains code it will be executed during compilation:

More information about the issue can be found here:

Exploiting MSFVenom

Copying the script to the Kali local host, changing the payload used in the exploit to download and execute a reverse shell:

Generating the malicious APK file through the exploit and copying it to current working directory:

The next step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Linux TCP Reverse Shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, elf

This will be downloaded and executed thanks to the MSFVenom vulnerability.

Starting a Python Simple HTTP Server to host the shell:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Sending the request by selecting Android as the operating system, the Kali local host IP address and attaching the evil APK template generated earlier:

The web application returned a “Something went wrong” message:

Nonetheless, a callback was received on the Netcat listener, granting a reverse shell:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

Privilege Escalation

When enumerating common files and folders, found a scanlosers.sh Bash script in the “pwn” user’s home directory:

Reviewing the script and adding comments to better understand what it does:

#!/bin/bash
#setting log variable to hackers file in /home/kid/logs/ 
log=/home/kid/logs/hackers 
#moving to home dir of pwn user 
cd /home/pwn/
#outputting content of hackers file, using space as delimiter and taking the third occurrence
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
#using it in a while loop to perform an nmap scan and save the results in / home/pwn/recon/[ip]    
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
#using an if statement to check if the /home/kid/logs/hackers file has more than 0 lines, if so emptying it
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

This script is probably being executed in the background although the current access does not allow to verify it.

This means that by adding two spaces to the file, the remaining content will be treated as an IP address by Nmap. A semicolon can then be added to interrupt the Nmap scan and therefore inject arbitrary commands. The payload should look as follows:

echo ”  ;[Command to execute]” > hackers

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Adding a new line to the hackers file to execute the shell created earlier, received a reverse shell as the pwn user:

Pwn User

getting interactive shell

When running sudo -l, it appears the pwn user can execute MSFConsole as root:

Since MSFConsole is effectively a shell and as such it can allow the execution of commands and binaries, this can easily be exploited by executing the same shell used earlier.

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Obtaining a shell by running the payload created earlier:

This has finally granted a shell as the root user on the box.

Conclusion

This was a really peculiar machine, as it was the first time for me exploiting MSFVenom and MSFConsole to get a shell, it was really interesting to see how these tools can often be used in unintended ways to compromise machines.