Script Kiddie — HackTheBox Write-up (L-E)

05-10 Archivist
4 min readMar 26, 2021

--

An easy machine that will practice your skills in using metasploit and creating reverse shells.

Initial Reconnaissance

Let’s see scan the machine using nmap to see open ports that we can work with.

Let’s check port 5000 first as it’s running a http service.

The page allows you to scan an IP using nmap, upload metasploit payloads, and search exploits using searchploit.

Searching about metasploit venom I found this

MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. msfvenom replaced both msfpayload and msfencode as of June 8th, 2015.

Since this the only part of the site that allows us to upload something, maybe we can use this to get us a reverse shell.

Let’s use the built in searchploit module on the page

So it turns msfvenom has a command injection vulnerability that we can probably exploit.

Payload Creation and Gaining Initial Access

Search for the msfvenom on Metasploit

Let’s use that. As you can see this is the default option for the particular exploit

I just changed the LHOST to my own IP and we’re good to go.

So Metasploit created an .apk payload. I’m going to setup up a listener on my end and upload the file on the webpage.

And we have successful connection! Now to make it more stable we’re going to spawn an interactive shell via python.

Now that we have a stable shell, we can start looking for the user flag.

Finding the User Flag

Let’s use find command to make our life easier

So it’s in the home directory

Further Exploration and Privilege Escalation

Looking around we’ll see that there are two users; kid and pwn

Checking out pwn, we will see an interesting file called scanlosers.sh that is owned by pwn.

So maybe we can use the hackers file to create a reverse shell as pwn

It worked! Now we’re connected as pwn. Let’s see what we can do with this user.

PS This shell cheat sheet will save you a ton of time

Turns out we can run metasploit as root

There we have our root flag!

--

--

No responses yet