Hack The Box :: Shocker
Shocker is an easy Linux machine box thats based on the shellshock exploit. Named after the Shellshock exploit, the exploit is known as a backdoor vulnerability utilizes the Unix Bash shell. It simply enables an attacker to cause Bash to execute Arbitrary Code Execution (ACE)
Start with an active reconnasissance on the targeted machine. We use nmap to scan for open ports on the machine.
Interesting enough, we only see 2 open ports:
- Port 80 - http - Apache httpd 2.4.18
- Port 2222 - ssh - OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
Visiting port 80 through firefox we are shown an image with a text display “Don’t Bug Me”.
This image confuses me because I’m clueless what this could mean. I did check the source of the webpage but nothing unveiling was on there. I also checked the robots.txt
Because there was no other additional information, I decided to use gobuster to brute-force for any additional directories or files.
With some luck, we got a few hits. The one that stood out to me the most was the /cgi-bin/ directory. You may be asking why does that specifically raise a concern for me. Well, the cgi-bin is known to enable the execution of scripts by a web server. This co-relates to the Shellshock exploit.
- A user would request a URL like http://www.example.com/cgi-bin/example.sh and the web server would locate and execute the example.sh script, passing request parameters as environment variables and returning standard output in the body of the response.
After gobuster informed us that there is a /cgi-bin/ directory, we can use dirb to see if there are any scripts on the web server we can take advantage of.
Dirb was able to find a user.sh file within the /cgi-bin/ folder. Here we can easily use the Shellshock exploit to gain backdoor access to the system.
Here, I ended up using Metasploit to do the dirty work for us. I was able to find a Shellshock exploit to gain a reverse shell.
As you can see we set the arguments to be able to exploit the box:
- set RHOSTS 10.10.10.56
- set TARGETURI /cgi-bin/user.sh
- set LHOST 10.10.14.25
And there you go! We have access to the system
There we can see the user.sh file we initially used to gain backdoor access to the system. I look in the home folder to see if there is anything to take note of, and was able to see a user name shelly.
Going into shelly’s folder we can the user.txt file. Cating that file we are givent he user flag
Sadly, I’m currently unable to gain root access of the machine. I will update this section when I get root privileges and able to obtain the root flag.
This box was a very interesting box. Being able to utilize the Shellshock exploit and gain backdoor access was very cool. We were able to use a few additional security tools to gain more information about missing directories and files.
As usual, now that we pwned this box (sort of), we can then move onto another box. You can expect a write-up for Netmon next.