Script Kiddie — HackTheBox Write-up (L-E)
An easy machine that will practice your skills in using metasploit and creating reverse shells.
Initial Reconnaissance
Let’s see scan the machine using nmap to see open ports that we can work with.
Let’s check port 5000 first as it’s running a http service.
The page allows you to scan an IP using nmap, upload metasploit payloads, and search exploits using searchploit.
Searching about metasploit venom I found this
MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. msfvenom replaced both msfpayload and msfencode as of June 8th, 2015.
Since this the only part of the site that allows us to upload something, maybe we can use this to get us a reverse shell.
Let’s use the built in searchploit module on the page
So it turns msfvenom has a command injection vulnerability that we can probably exploit.
Payload Creation and Gaining Initial Access
Search for the msfvenom on Metasploit
Let’s use that. As you can see this is the default option for the particular exploit
I just changed the LHOST to my own IP and we’re good to go.
So Metasploit created an .apk payload. I’m going to setup up a listener on my end and upload the file on the webpage.
And we have successful connection! Now to make it more stable we’re going to spawn an interactive shell via python.
Now that we have a stable shell, we can start looking for the user flag.
Finding the User Flag
Let’s use find command to make our life easier
So it’s in the home directory
Further Exploration and Privilege Escalation
Looking around we’ll see that there are two users; kid and pwn
Checking out pwn, we will see an interesting file called scanlosers.sh that is owned by pwn.
So maybe we can use the hackers file to create a reverse shell as pwn
It worked! Now we’re connected as pwn. Let’s see what we can do with this user.
PS This shell cheat sheet will save you a ton of time
Turns out we can run metasploit as root
There we have our root flag!
