CTF Walkthroughs, Hack The Box

Hack The Box – Shocker Walkthrough

January 29, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a very easy Linux box which involved gaining a user shell by exploiting the really common Shellshock Linux vulnerability and escalating privileges to root by exploiting Perl which could be executed using sudo.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

Enumerating Port HTTP

When browsing the web server on a browser, the following page appears:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target url
  • -w to specify the word list to use

The cgi-bin folder is an indication that the system could be vulnerable to Shellshock. Running another Gobuster scan against cgi-bin user.sh is found:

Looking at the user.sh file, it seems to just be the output of uptime:

Exploiting Shellshock

Shellshock is a Linux security vulnerability that could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. This affected applications such as Apache.

Using SearchSploit to find Shellshock-related explotis:

Cloning the first one and executing it to view the usage:

Running the script with the required parameters (payload, rhost, lhost and lport), the script is run against a number of common directories and scripts:

Adding the script found earlier to the pages list:

try:
	pages = args['pages'].split(",")
except:
	pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv", "/cgi-bin/user.sh"]

After adding the new page, executing the script grants a shell as shelly:

Gaining an interactive shell through the Python spawn function within the pty module.

Privilege Escalation

When running sudo -l to check whether the current user is allowed to execute commands using sudo, it looks Perl can be executed as root:

Most scripting languages have functions that can be used to execute system commands, Perl is no exception to this, as the “exec” function can be used, as reported in GTFOBins:

Using the following command to execute /bin/sh as root:

sudo /usr/bin/perl -e 'exec "/bin/sh";'

This grants a root level sh shell in the system.

Conclusion

The main purpose of this box was to demonstrate the Linux Shellshock vulnerability, which has been a really massive issues, especially in the past, that has affected many web servers. It is probably one of the biggest vulnerabilities that impacted Linux web servers as it granted remote code execution in a quite trivial manner.