HTB – Shocker

Here is Shocker. Fairly straightforward since the name literally tells you what the box is vulnerable to. Regardless a great box to reinforce some basic concepts such as enumeration, enumerating strange directories and learning more about what the heck /cgi-bin/ is and what it’s capable of.

In a nutshell we find two open ports, a web server and an SSH service running on an unusual port. When we visit the webpage we get a picture of something that doesn’t really help us. Through basic enumeration we find the /cgi-bin/ directory and enumerate that further. We find a script running on the host machine and exploit the machine because it is vulnerable to Shellshock (surprise). The privesc is simple enough, with a quick GTFO bins execute we are root.

As for the OSCP what did this box teach me:

  1. Don’t ignore /cgi-bin/
  2. Enumerate extensions
  3. Always check sudo -l

Let’s go!

Walkthrough

Shockers IP address is `10.10.10.56

A basic nmap scan returns:

nmap -sC -sV -Pn -oA nmap/initial 10.10.10.56

First step here was to visit that webserver to see if there was anything interesting there:

Not really…

So our next step was to enumerate the directories on the webserver and see if we get a clue as to what is going on.

I used gobuster for this with a command of:

gobuster dir -u http://10.10.10.56 0w /usr/share/seclists/Discovery/Web-Content/common.txt -z -e

I like the common.txt here because I find it keeps the noise to a minimum and the scans complete much quicker. In a test environment, I would use common.txt followed by something more robust such as a raft or directory-list-medium

Note the /cgi-bin/ directory, good idea to check this one further. Especially for shellshock.

And lucky us there is a /user.sh script running. When we visit the directory on the webserver we are asked to download the file. So I downloaded it and looked at the output. It seems to be a script that keeps track of the time a user spends logged in:

Because I am bit familiar with shellshock and knowing that it affects scripts in the /cgi-bin/ directory I use trusty old nmap to see if its vulnerable

Perfect! To google it is. I search for shellshock exploits and come across this nice little one liner.

I remove the cat /etc/passwd and put in my one liner reverse shell
Works on the first try! I get a callback from my listener but I am only a low-priv user. I check my permissions with sudo -l and see I can perl as root. A quick search on GTFOBins and a simple execute is all it takes to get root.

All in all, straightforward to the point. Helps reinforce some basic concepts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: