As the name would suggest, I learned about a vulnerability called ShellShocker doing this one. First things first, kick off an auto-recon and let’s take a look at the full nmap scan.
Only port 80 and an SSH server running on a non-standard port. Let’s get after port 80.
Browsing to the page we don’t see anything exciting in the source, no robots, nothing there. So let’s see what else we can find with dirsearch. If you don’t have dirsearch, definitely get it. It’s a threaded version of dirb, dirbuster, gobuster, and it runs great.
Looking at this output, we have a couple directories. Maybe the cgi-bin has some scripts, so let’s run dirsearch again with some other extensions like .sh.
We found a .sh script inside of the cgi-bin on this server. Read more about this vulnerability here: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 , but then let’s get msfconsole up and running. Once you type ‘search shellshock’, you’ll want to use apache_mod_cgi_bash_env_exec , as that’s what we’re doing here.
Make sure to adjust your settings. Set your LHOST to your own IP address, and change the TARGETURI to the /cgi-bin/user.sh script we located. Additionally, set the RHOSTS to the ip address of the shocker VM in HackTheBox. Then try an exploit!
If all goes according to plan, we get a nice meterpreter session, like below:
Once here, drop into a shell with the ‘shell’ command, and poke around to find that user flag. Additionally, drop a sudo -l to see what our permissions are.
A few things from that picture above. You see how we don’t have a prompt? That doesn’t affect us on this box, but it will on future vms. Also, we see in shelly’s home directory the user flag, which is easy to submit at this point. Finally, we see that shell can run /usr/bin/perl with no password. Browse out to GTFOBins, at https://gtfobins.github.io/gtfobins/perl/ , and look at the sudo section.
And that makes short work of Shocker! As always, I’ll record a video walkthrough of this as well. Please consider subscribing to me on YouTube, and thanks for catching this walkthrough!