🕵 HTB-Writeup : SCRIPTKIDDIE

Recon
|
|
We are face of a Werkzeug webserver. On the main page, we have access to 3 tools:
- nmap
- msfvenom
- searchsploit
Vulnerability
The msfvenom tools here can generate Windows, Unix and Android payloads.
I first use searchsploit
. I found some vulnerabilities on Werkzeug.
|
|
To be used, this exploit need an access to the console page of the Werkzeug server but we don’t have an access to it on that Box. Exploit can’t be used.
After some research, I found that the msfvenom tool is vulnerable to a APK template command injection
I found an article explaining that vulnerability.
The msfvenom Framework is vulnerable to command injection when the tools is used to craft an APK file using the -x
switch. The option allow msfvenom
to use an Android payload template to build the APK file.
We can use the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
to craft our Android payloads template.
|
|
We can now try to generate an APK file using our template.

We get our first shell as kid
. We can get the user flag!
|
|
We can add our ssh key into authorized_keys
to get a SSH access.
Path to the privesc
Local recon
I first run a LinPeas scan.
|
|
We found 2 potentials interesting informations.
First, the sudo version (v1.8.31) seems to be vulnerable at CVE-2021-4034 & CVE-2021-3560. Then, we see that the user pwn
as been connected in the past from 10.10.14.7. The IP is accessible.
In /home/pwn directory we can see a script :
|
|
The script is reading the text contained in /home/kid/logs/hackers and pass the IP to a nmap command.
I confirmed that by trying to create a file with touch
, it worked.
Since we have write access on /home/kid/logs/hackers we can inject arbitrary commands that will be executed with pwn rights.
Exploiting vulnerabilities
Exploiting pwn script
The text that we’re going to put in /home/kid/logs/hackers must respect three things :
- a
;
to start the line in order to separate our command from the previous one - a
#
to comment the rest of the line to avoid errors - two characters before our command because
cut -d' ' -f3-
will cut them
So our command will be the following :
|
|
And we have now a shell as pwn :
|
|
We can see that the user pwn can execute msfconsole as root without password :
|
|
We can see in the help menu of msfconsole that we can obtain a ruby shell in the current context :
|
|
In this shell we can call /bin/bash : https://gtfobins.github.io/gtfobins/irb/
Unfortunately we have to upgrade our shell :
|
|
I tried adding my ssh key but I don’t have the access. Fortunately, a simple python3 -c 'import pty; pty.spawn("/bin/bash")'
solved the issue.
We can now exploit the vulnerability :
|
|
We can now retrieve the root flag.
Exploiting CVEs
I tried to exploit both CVE found from LinPeas
.
The first vulnerability (cve-2021-4034) is a local privilege escalation done with the polkit’s pkexec utility. pkexec
“allows an authorized user to execute PROGRAM as another user”. According to the NSE description, “the current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands”.
A user can manipulate PATHs and send bad arguments to force pkexec to execute commands. If we send a null argument to pkexec, it is possible to execute commands that have been set on environnement PATHs. This article explain more specifically that vulnerability.
I found an exploit on github that reproduce those steps.
|
|
The exploit works! We got a root shell and we can get our flag ! :)
Tags
Easy, Internal, Use Of Injection Attacks, Metasploit, Ruby, Penetration Tester Level 1, OS Command Injection, Access Control, Backdoor, Public Vulnerabilities, CVE Exploitation, Sudo Exploitation, Security Tools, Weak Permissions