Shocker writeup HTB

Shocker

An easy machine walking us through the infamous “Shellshock” exploit, as well as a simple privilege escalation using Perl.

Discovery

Web server

Sometimes the name of the machine gives a hint towards the contents that are waiting for us to uncover. This is one of those cases. The name “Shocker” is probably referencing the exploit with name of “Shellshock”, which exploits Bash (v4.3) with a remote code execution vulnerability using environment variables.   

For the shellshock exploit to work, we need access to the /cgi-bin directory (or any files that come out of it). The cgi-bin (Common Gateway Interface) directory is a folder in which scripts inside can communicate directly with the host server. 

Which is weird, since typing /cgi-bin/ as the directory indicates we don’t have access to it :

I’m not exactly sure what that is (probably a server misconfiguration or something). Usually typing /directory is the same thing as typing /directory/. Tools like gobuster usually won’t find this directory, as they are only checking for directories with a / before and not necessarily after. To find these, we have to tell gobuster to search for directories with a slash before and after with the -f option :

Without adding a slash at the end

Shell as shelly

Like we mentioned before, for the Shellshock exploit to work, we need access to the /cgi-bin directory or a script inside. Since we are forbidden from accessing the /cgi-bin directory, we can start enumerating potential scripts inside. This can be done by telling gobuster to search for files with specific extensions with the -x option :

The ".sh" extension represents Bourne shell scripts (including Bash)

We now have everything we need for the exploit to work. Using this script, we can manipulate environment variables (values needed for for setting up shell environments) to cause bash to run on the target :

Privilege escalation

We can run Perl as root with no password! This means we can create a Perl file containing a reverse shell and then execute it as the root user! Grabbing a Perl reverse shell from here does the trick :