Shocker is rated easy among other boxes on htb, However, for me it was a great learning.
So, lets learn some “shocking exploitation” without metasploit.
Machine: Shocker
OS: Linux
IP: 10.10.10.56
Enumeration
A simple bash script that uses Nmap to enumerate the host.
Don’t forget to give executable permission to the script.
chmod +x en.sh
Results
Points to Consider
- Website may be hosted on port 80. Apache → 2.4.18 (http)
- ssh on 2222. OpenSSH → 7.2p2 (can use user enum)
Let’s visit the site.
Don’t know what “Don’t Bug Me!” means… or if it means anything at all…
Let’s Enumerate more using Dirbuster.
Set number of threads to 20,30 or more, depending on your machine’s hardware.
For file with list of dirs/files, Go to Browse and select the path “/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt”
One can use any other list as per their wish , i am using the one mentioned above.
It is a good habit to set the file extension, whenever dirbuster is used.
here it will look for .php files, .py files, .sh files, .txt files , .perl files inside of directories.
Umm…. .sh file can be seen… (told’ya it is a good habit)
Let’s Download and see if we have anything inside it. Also it is found under cgi-bin.
arggggghhh!!! No clues.
As we have found only two directories from our Dirbuster Result, cgi-bin and icons.
Literally no Idea at this point what is cgi-bin and icons is about… but, what is known is that there is a directory called cgi-bin and shell(.sh) file inside it, also the icons directory. Have seen .sh scripts as bash scripts previously.
Let’s see what the internet has to say…
ohhhh, So that is why this machine is called Shellshock, Interesting…
Let’s see what exploit we have on the word Shellshock.
I got many things, however, i was confused between the two
- Bash — ‘Shellshock’ Environment Variables Command Injection
- Bash CGI — ‘Shellshock’ Remote Command Injection (Metasploit)
As we are doing this without metasploit , I chose the first.
Tried to find out the CVE from the path and searched.
Exploitation
Found one Repository showing one liners to exploit the flaw, modified the first one using the reverse shell cheat sheet from pentestmonkey.
Before firing the payload, Run Netcat in listening mode on port 1234, as in the above payload the port is set to 1234.
We got the exploit right and we have the user shell.
We got the user.txt flag, we have to find root.txt flag now.
At this point, some privilege escalation techniques should be applied to get root access..
Got to learn that first command after “whoami” must be “sudo -l” whenever access is gained.
sudo -l is used to check what sudo rights the users has.
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Shelly user has the permission to access perl command as root.
So i found one liner again to gain root access after searching on internet.
Sudo perl -e ‘exec “/bin/bash”;’
Hey there, Root
Let’s get the root.txt flag
Thank you for finding me helpful.
Please click on clap button if you learn anything new today.
