Home Shocker
Post
Cancel

Shocker

Shocker is a fun easy level linux machine on HacktheBox which features the shellshock exploit to get a foothold on the box, and from there we escalate privileges by abusing sudo privileges in perl.

Enumeration

Nmap shows us-

nmap

With only HTTP and SSH to look at, let’s begin with enumerating the website.

gobuster

The website is just a static HTML page, we can find hidden web directories using gobuster. It’s important to note that only the directory with the trailing slash is valid

notfound

With the trailing slash this time we get a 403 forbidden

perm

CGI stands for “Common Gateway Interface”, and is esentially a folder in apache that houses scripts. The client sends a request to the server, the web server recieves the request and passes it to the CGI program, then the program executes and passes the output back to the web server, and the web server passes something back to the client. Common extensions for these scripts are .pl, .sh, .cgi, .py, and so on. If we use gobuster like this: /usr/bin/gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x sh,cgi,pl we can look for any potential scripts in the /cgi-bin/ directory with those file extensions.

user

We see that user.sh exists on the server. Visiting the /cgi-bin/user.sh filepath downloads a text file for us, which is just the output of the uptime command.

uptime

Googling around about CGI-bins, we learn that it is often vulnerable to the shellshock vulnerability if the version of bash is old enough. The reason this exploit works with CGI is because the web server is passing user supplied data into the shell script as environment variables, stuff like user agent, cookies, or other GET parameters. By inserting the shell shock payload followed by a command into one of these variables, we can get RCE on the box. Let’s try it with this one-liner I found on github. shock

We can see that by putting the shell shock payload into the ‘user-agent’ field, we can execute commands. We’ll send this over to burp and play around with it more.

notwork

When we remove the echo; echo; line, the command doesn’t work.

works

Putting 1 echo back makes it work again.

notworks2

It also won’t work if we don’t specify the full path of the command, or use /bin/bash -c ‘command’ as shown earlier

works2

Foothold

Anyways, let’s get a reverse shell. Set up a listener and throw a reverse shell one liner for bash at the server.

payload

We get a reverse shell as Shelly. Checking our sudo priveleges on the box gives us:

privs

We have access to run perl as root, meaning we are 1 quick search on GTFO bins away from root.

perl

Using the first one gives us a root shell.

privest

This post is licensed under CC BY 4.0 by the author.