🕵 HTB-Writeup : SCRIPTKIDDIE
We are face of a Werkzeug webserver. On the main page, we have access to 3 tools:
The msfvenom tools here can generate Windows, Unix and Android payloads.
I first use
searchsploit. I found some vulnerabilities on Werkzeug.
To be used, this exploit need an access to the console page of the Werkzeug server but we don’t have an access to it on that Box. Exploit can’t be used.
After some research, I found that the msfvenom tool is vulnerable to a APK template command injection
I found an article explaining that vulnerability.
The msfvenom Framework is vulnerable to command injection when the tools is used to craft an APK file using the
-x switch. The option allow
msfvenom to use an Android payload template to build the APK file.
We can use the
unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection to craft our Android payloads template.
We can now try to generate an APK file using our template.
We get our first shell as
kid. We can get the user flag!
We can add our ssh key into
authorized_keys to get a SSH access.
Path to the privesc
I first run a LinPeas scan.
We found 2 potentials interesting informations.
First, the sudo version (v1.8.31) seems to be vulnerable at CVE-2021-4034 & CVE-2021-3560. Then, we see that the user
pwn as been connected in the past from 10.10.14.7. The IP is accessible.
In /home/pwn directory we can see a script :
The script is reading the text contained in /home/kid/logs/hackers and pass the IP to a nmap command.
I confirmed that by trying to create a file with
touch, it worked.
Since we have write access on /home/kid/logs/hackers we can inject arbitrary commands that will be executed with pwn rights.
Exploiting pwn script
The text that we’re going to put in /home/kid/logs/hackers must respect three things :
;to start the line in order to separate our command from the previous one
#to comment the rest of the line to avoid errors
- two characters before our command because
cut -d' ' -f3-will cut them
So our command will be the following :
And we have now a shell as pwn :
We can see that the user pwn can execute msfconsole as root without password :
We can see in the help menu of msfconsole that we can obtain a ruby shell in the current context :
In this shell we can call /bin/bash : https://gtfobins.github.io/gtfobins/irb/
Unfortunately we have to upgrade our shell :
I tried adding my ssh key but I don’t have the access. Fortunately, a simple
python3 -c 'import pty; pty.spawn("/bin/bash")' solved the issue.
We can now exploit the vulnerability :
We can now retrieve the root flag.
I tried to exploit both CVE found from
The first vulnerability (cve-2021-4034) is a local privilege escalation done with the polkit’s pkexec utility.
pkexec “allows an authorized user to execute PROGRAM as another user”. According to the NSE description, “the current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands”.
A user can manipulate PATHs and send bad arguments to force pkexec to execute commands. If we send a null argument to pkexec, it is possible to execute commands that have been set on environnement PATHs. This article explain more specifically that vulnerability.
I found an exploit on github that reproduce those steps.
The exploit works! We got a root shell and we can get our flag ! :)
Easy, Internal, Use Of Injection Attacks, Metasploit, Ruby, Penetration Tester Level 1, OS Command Injection, Access Control, Backdoor, Public Vulnerabilities, CVE Exploitation, Sudo Exploitation, Security Tools, Weak Permissions