Sponsored by: Learn how to reverse engineer video games at the Guided Hacking Forum
Let’s Begin with our Initial Nmap Scan.
# Nmap 7.91 scan initiated Sun Feb 7 02:57:57 2021 as: nmap -sC -sV -oN scriptkiddie.nmap 10.129.97.20
Nmap scan report for 10.129.97.20
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 7 02:58:42 2021 -- 1 IP address (1 host up) scanned in 45.03 seconds
ssh running on port 22 & python web server running on port 5000
Started with the webservice running on Port 5000. Checking that reveals that web page is using some hacker tools : nmap, metasploit, searchsploit
Scaning localhost of scriptkiddie machine gives:
I started fuzzing the input field to check is there any command injection vulnerability but it gives invalid ip so i used different techineques
127.0.0.1 && whoami
127.0.0.1 | whoami
But the input field is sanitized so our command didn’t executed :(
So i moved to next input field which is searchsploit
So this time i started fuzzing the input field of searchsploit to check is there any command injection vulnerability so he is a clever skid the input of searchsploit also sanitized and gives a message: stop hacking me
dirty cow; whoami
dirty cow `whoami`
dirty cow $(whoami)
dirty cow & whoami
dirty cow && whoami
dirty cow | whoami
Metasploit only remaining & the machine is rated as CVE
So i searched any exploit for metasploit and luckily we have one msfvenom APK template command injection
So i mirrored the exploit and examine it reveals metasploit version 6.0.11 vulnerable CVE-2020-7384
This exploit creates a evil.apk file. If we try to bind payload file generated by metasploit to our evil.apk file boom vulenerablity triggered and we get code execution. lets try it out i changed the payload field in exploit. This will try to curl my machine on port 80
I started a python server on port 80
Running the exploit with python3 generates our evil.apk file in /tmp/gibberish/evil.apk note: each time running the exploit it creates new (gibberish) directory in tmp.
Now upload the malicious apk and generate.
we have a request to test page on our webserver so metasploit is vulnerable.
Reverse shell i used and hosted with python server
Also modified exploit instead of curl the test page i curl the reverse shell we created and piped to
w00tw00t we got shell as kid user
Here we see the python web server is made by flask. which is app.py so i take a look at the source code reveals it’s using regex to sanitize non-alpha numeric characters.
Also there is a searchsploit function if we write some non-alphanumeric characters it didn’t execute and writes as a log in /home/kid/logs/hackers file.
The file has nothing so i assume there is a cron job running so i created a endless loop it will cat the log file. So if the app.py script write something in log file we can also view before the cron job executes.
Write some non-alphanumeric characters in searchsploit input.
We can see the log it has attacker ipaddress with date and time.
I started looking for other users and we have total of 3 users root, kid & pwn
Navigating to /home/pwn/ reveals a script scanlosers.sh owned by user pwn. This script simply read from log files we’ve previously find, seperate the IP address from the log and run nmap against us.
We can notice input didn’t sanitized so we can try command injection. The payload i used
scanlosers.sh script cut first 2 delimeter so in my payload i added 1 and 2 we can add anything we want that doesn’t matter semicolon to end the operation next our actual payload which curl a test page on our machine like we did on initial shell then using # to comment the rest of the thing script executing. It curl us a test page.
So i’m use the same reverse shell instead of test page curl the reverse shell and redirect to bash.
Got pwn user shell 😄
sudo -l shows we can run msfconsole as root without password so most of you guessed
Running metasploit with sudo then execute /bin/bash we spawned a root shell.
For any queries contact me in Twitter : https://twitter.com/0xAnnLynn