Hackthebox — ScriptKiddie Walkthrough

First thing first we scan the machine with nmap to find which ports are open and which services running on those ports.

• -sC : to run default nmap scripts
• -sV: to detect service versions

We get back the following result showing that two ports are open.

• Port 22 is for SSH service
• Port 5000 is for HTTP service

We visit the HTTP service in the browser.
After spend some time with some exploits like command injections, remote & local file inclusions, nothing seems to be working. However, it does not!

On payloads section, We have option of uploading a template file to create a payload. We need to search the internet using the “template file” and “linux — windows — android (most suspicious one)” keywords.

We find the exploit called “APK Template Command Injection”

Here we make a malicious file by using this exploit to get a reverse shell.

We set up listening IP and port.

Once we set up and run, the malicious file is created on the specified path.

Set up a netcat listener to receive the reverse shell.

Everything is ready. We click “generate”.

Perfect! We get a reverse shell.

Let’s first upgrade the shell to a full interactive shell.

Perfect! We successfully get the user.txt file.

While enumerating the box, we see that we have right to modify authorized_keys. That means we can SSH into the box.

Let’s do it!

Time to escalate our privileges.

We find a script on pwn’s home directory, see that nmap is running against a file called hackers.

We modify the hackers file adding a reverse shell script. By adding “#” it means that nothing can be executed after the reverse shell bash command.

Perfect! We get the reverse shell as user pwn.

Let’s check what user pwn can run as root.

User pwn can run msfconsole as root without a password.

We run the following command below.

Finally, we are root!

and successfully grab the root flag.

Thank you for your time.

Originally published at http://atalaysblog.wordpress.com on June 5, 2021.