Shocker HTB Walkthrough – Command Injection via Shellshock

SR_ShiravanthanSR_Shiravanthan
4 min read

Recon:-

We are going to scan IP Address for all open ports and increasing the scanning time to identify open ports and saving the result on a text file. Two ports are HTTP,EtherNetIP-1 on the target machine.

# Nmap 7.94SVN scan initiated Fri Feb 23 11:19:43 2024 as: nmap -p- --min-rate 1000 -oN all_ports.txt 10.10.10.56
Nmap scan report for 10.10.10.56 (10.10.10.56)
Host is up (0.038s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1

To gather additional information on specific ports, let’s include a version scan and default script scan, and save the results to a text file. On PORT 80, the server is running Apache httpd 2.4.18. PORT 2222 (SSH) is configured instead of the default PORT 22, and the SSH version is OpenSSH 7.2p2. The operating system of our target machine is Ubuntu.

sudo nmap -p 80,2222 -sV -sC 10.10.10.56 -oN enum_ports.txt               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-23 11:21 EST
Nmap scan report for 10.10.10.56 (10.10.10.56)
Host is up (0.037s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration:

Visiting the webpage on PORT-80, there is a .jpg file and a text message (“Don’t Bug Me!”). Viewing the source code reveals nothing interesting. Let’s find hidden directories or files on the server by using Dirb.

Directory Brute-force:

Providing the URL and using the default wordlist, we’ve encountered a cgi-bin folder, but we lack permission to access the directory. In case you’re unfamiliar, cgi-bin enables the web server to execute external programs to process HTTP or HTTPS user requests. These programs are commonly written in scripting languages such as sh, py, perl, php, js, etc., and are commonly referred to as CGI scripts.

Zoom image will be displayed

As we know, the cgi-bin directory runs scripts. Let’s provide some of the most commonly used extensions to Dirb and specify the extensions to add to the end of every word in the wordlist: -X .php, .py, .sh, etc

Every time I refresh, the time changes. Let’s conduct some research about it. I found that it is vulnerable to the Shellshock vulnerability. Let’s verify this by using the Nmap Shellshock script.

Initial Access

Before using Burp Suite, we redirect incoming traffic to our localhost so that we can easily intercept the traffic.

If you want to locate the exploit script in NMAP, you can use the command locate nse | grep -e "shell shock". After finding the script, you can use cat to display its contents and specific the correct url path /cgi-bin/user,sh finally provide the IP address.

The script run by Nmap Burp Suite intercepts the traffic. In the image below, we can see the presence of the “referer:”, “cookie:”, and “() {:;}” payloads after the “echo;” statement. This is utilized to print a new line, ensuring that the web server recognizes it as an HTTP header, followed by the HTTP body.

Explanation of script:

User-Agent: () {:;}; echo: echo -n random strings, (){:;}() { :; }; is a no-op function in bash. The image and link that I've included below provide a clear explanation of this concept.

“Echo” prints a newline character by default, which can be used to create line breaks in the HTTP header. However, when using “echo -n”, it omits the newline character, allowing the output to be printed without creating a new line.

From reverseshell.com, let’s execute the reverse shell code on Bash. On our attacker machine, netcat (nc) is listening for incoming traffic connections.

Got inital access

Privilege Escalation

The command sudo -l reveals that Perl can be executed as a superuser, allowing us without password authentication. This can be achieved simply by running sudo perl -e 'exec "/bin/bash";'.

0
Subscribe to my newsletter

Read articles from SR_Shiravanthan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

SR_Shiravanthan
SR_Shiravanthan