Hack The Box: Shocker Write-up (#3)

Let’s get started.

Reconnaissance

nmap -sC -sV -O -oA nmap/basic 10.10.10.56
  • -sC: Default nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats

We got the following results:

  • Port 80— Running Apache httpd 2.4.18 (Ubuntu)
  • Port 2222— Running OpenSSH 7.2p2 4ubuntu2.2
Quick nmap scan result

Next, run a full nmap scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.56
  • -p-: Scan all ports from 1–65535

We got the same result as a quick nmap scan.

Full nmap scan result

Similarly, we run the UDP nmap scan.

nmap -sU -O -p- -oA nmap/udp 10.10.10.56

While this scan is running in the background I got rooted in this machine. Therefore no UDP scan for this blog.

Service Enumeration

Port 80 Apache httpd 2.4.18 (Ubuntu)

Default web page
View Source Page

Just an image! No info on “View Source Page” and no hidden codes. Let’s run gobuster for hidden directory enumeration.

gobuster dir -u http://10.10.10.56/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -f
  • -u: Target URL
  • -t: Number of concurrent threads (default 10)
  • -w: Custom wordlist
  • -f: Append / to each request

We got the following result.

Gobuster scan result

/cgi-bin/ directory seems promising. Google search for “apache cgi-bin exploit” gives a lot of “exploit shellshock” hint. This means this box prompts to shellshock exploitation.

Google search result

Let’s enumerate /cgi-bin/ directory for files with extensions.

gobuster dir -u http://10.10.10.56/cgi-bin/ -t 20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .py,.sh
  • -x: File extensions
Gobuster scan result

We discovered user.sh file. Accessing the user.sh file prompts me to download.

But we also can view the contents of the file via Burp proxy history without downloading it. Let’s check the response from the Burp proxy.

From the output, we know this shell script is basically checking uptime of the server and display the output.

Let’s use nmap script to identify if this site is vulnerable to shellshock.

nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56

The result of this doesn't show it is vulnerable to shellshock. I am not sure why. Checking the script manually it uses a function that takes the value of User-Agent, Cookie and Referer as arguments and replaced with cmd.

This is good enough. Let’s confirm this by using “Burp Repeater” changing the User-Agent value to shellshock.

Burp repeater

The result shows there is additional space in the Response header. Let's try something visible.

Burp Repeater

Great! We have RCE. We will test this in exploitation step.

Port 2222 OpenSSH 7.2p2 4ubuntu2.2

Ubuntu Version

Exploitation

#1 HTTP

Set up a netcat listener on port 4444 in your Kali Linux.

nc -nlvp 4444

Send the request with bash reverse shell payload.

Reverse shell

Great. Quickly check if the user Shelly in sudoer’s list by typing sudo -l.

Indeed the user is in the sudoer’s list and able to execute Perl command with a sudo privilege. Sudo means chances to ROOT! Let’s escalate to root by executing a bash shell in Perl onliner.

sudo perl -e 'exec "/bin/bash";'

Awesome!

Grab the root flag.

Grab the user flag.

Attack Strategy Map

Strategy map

Thank you for reading :-) Next box is the Bashed.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.