DEV Community

Cover image for Hack The Box: Shocker Machine Writeup
Michael Oladele
Michael Oladele

Posted on

Hack The Box: Shocker Machine Writeup

#ai #security #cybersecurity #hackthebox

🚀Introduction

The Shocker machine on Hack The Box is an excellent tool to learn and exploit the Shellshock vulnerability. In this walkthrough, we will enumerate this retired machine step by step and capture the user and root flags, demonstrating a real-world example of this catastrophic exploit.

🔍 Enumeration

First, we begin by scanning for open ports on the target machine.

I kinda like to first scan the all the ports first, then dive deeper like below:

nmap-scan

Two ports came back as open:

  • Port 80 — HTTP (Apache web server)
  • Port 2222 — SSH

Since web servers usually have more attack surface, let's focus on port 80 to check if we get foothold.

The next step would be for us to perform a version and service detection scan:

nmap-service-scan

Let's do banner grabbing to be sure the server we got from nmap is correct:
banner-grabbing

We can confidently say:
The server is running: Apache/2.4.18 on port 80 (Ubuntu)

Since port 80 is running a public-facing Apache web server, it offers a good opportunity for us to see what is running. Let's navigate to http://ip. Then we see:

web-app

At first, when I saw this web-page, I froze. But let's try to bust the directories maybe we can see something juicy:

gobuster dir -u http://10.129.16.77/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.16.77/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 291]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/cgi-bin/             (Status: 403) [Size: 295]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 300]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
Enter fullscreen mode Exit fullscreen mode

If we try to check /server-status and /cgi-bin/, we can see:
load-error

So, there seems to be no way here, I wanted to go to the port 2222 at this point, but I decided to drill down to the DIR /server-status and /cgi-bin/ if something would come up.

Then I dig but this time, I added -x php,html,txt,sh,pl,cgi to check special files:

gobuster dir -u http://10.129.16.77/cgi-bin -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,sh,pl,cgi
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.16.77/cgi-bin
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,sh,pl,cgi,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 300]
/.hta.sh              (Status: 403) [Size: 302]
/.hta                 (Status: 403) [Size: 299]
/.hta.pl              (Status: 403) [Size: 302]
/.hta.cgi             (Status: 403) [Size: 303]
/.hta.php             (Status: 403) [Size: 303]
/.hta.html            (Status: 403) [Size: 304]
/.htaccess.php        (Status: 403) [Size: 308]
/.htaccess.txt        (Status: 403) [Size: 308]
/.htaccess.html       (Status: 403) [Size: 309]
/.htaccess.sh         (Status: 403) [Size: 307]
/.htaccess            (Status: 403) [Size: 304]
/.hta.txt             (Status: 403) [Size: 303]
/.htaccess.pl         (Status: 403) [Size: 307]
/.htaccess.cgi        (Status: 403) [Size: 308]
/.htpasswd            (Status: 403) [Size: 304]
/.htpasswd.pl         (Status: 403) [Size: 307]
/.htpasswd.cgi        (Status: 403) [Size: 308]
/.htpasswd.php        (Status: 403) [Size: 308]
/.htpasswd.html       (Status: 403) [Size: 309]
/.htpasswd.txt        (Status: 403) [Size: 308]
/.htpasswd.sh         (Status: 403) [Size: 307]
/user.sh              (Status: 200) [Size: 119]
Progress: 32298 / 32305 (99.98%)
===============================================================
Finished
Enter fullscreen mode Exit fullscreen mode

In the above scan, I got a script back user.sh, this can be juicy. but when I opened it:

page

I decide to dig a little about what I can see about cgi-bin and I found out shellshock. So I Check cgi with NMAP to see if something would come and it is vulnerable to shellock:

nmap-scan

Let's say luck found me, it's vulnerable to shellshock, so fired up my metasploit and search for it:

metasploit

⚡ Exploitation

The next step for us would be to exploit the target machine, on metasploit, I set all the options needed, then the target was down in seconds:

meterpreter

Let's do our victory dance!!!

⚡ Privilege Escalation

As we can see the user we compromised is 'shelly' so we need to elivate our privilege to 'root'

I checked to see what can the user run with root access without password:

shell

We are convinced that the user can run /usr/bin/perl without password, that might our path to root. Let's check for the binary on GTFBins:

bins

Now let's run the binary with 'sudo', because we know we can do that:

root

We are root!! Yeepee!!!

Top comments (0)