Shocker HTB Writeup
Hi Everyone, I am back with another ‘very easy’ level linux box called ‘shocker’.
Started the machine with nmap TCP and UDP scans which are as follows:
There were two tcp ports open:
- Port 80: running Apache httpd 2.4.18
- Port 2222: running OpenSSH 7.2p2
After that decided to start with enumeration of port80 and got below response on the browser.
After that, decided to search for known exploits available to apache httpd version found but no luck.
Decided to use gobuster as follows but nothing interesting found.
Then searched for apache directory structure I found that it usually involved directories such as /cgi-sys, /cgi-mod, /cgi-bin, etc so thought to give a manual try and got below errors. As /cgi-sys and /cgi-mod do not exist on the web server. However /cgi-bin does. It was interesting to note the error difference of the web server when I requested/cgi-bin versus /cgi-bin/ to the URL path.
/cgi-bin/ gave me a 403 forbidden and /cgi-bin gave me a 404 -resource not found. After that I realized that if Idon’t add the “/” at the end of the URL, the server is interpreting it as a file instead of a directory. It made sense why Gobuster did not find the directory. It checked the url “10.10.10.56/cgi-bin”, got a 404 and therefore didn’t report it. The “-f” flag appends “/” to each request so decided to run Gobuster again.
To enumerate the /cgi-bin/ directory more. I searched for files with extensions “sh” and “cgi”. -x switch is used to mention file extensions to search for. Here, I found ‘user.sh’ file which can be easily downloadable from the browser as follows:
Opened the user.sh file but nothing interesting found.
After that, decided to use burpsuite proxy tool to capture the request.
Apache is famous for the Shellshock bash remote code execution vulnerability. This vulnerability affected web servers utilizing CGI (Common Gateway Interface), which is a system for generating dynamic web content.
Modified the user-agent field of request with shell shock revere shell payload and started a netcat listener on a local system. That’s how I got a low privileged shell access.
Used below command to determine what permissions I have as a low privileged user. Here I found out that if I run perl with sudo privileges, I’ll get back a reverse shell with root privileges.
From the pentestmonkey blog used the perl reverse shell and started netcat on port 1234.
Let’s do a root dance and till then happy hacking :)