Been a while since I did a blog post, but figured I’d jump on the bandwagon of Hack The Box writeups for retired boxes. Got the message that Valentine was being released on 2018-02-17 and retiring Shocker, which was a nice little box that I had managed to own user and system. So I thought I’d writeup my approach and observations.

Run through a quick nmap, see what we’re working with. Since it’s an easy box, common ports should trigger something:

Nmap scan results showing open ports

Ok, HTTP and SSH. Haven’t seen an SSH bruteforce attack vector be meaningful, so let’s look at the HTTP service:

HTTP service homepage

Alright, cute jpeg. No other links. Let’s start brute force browsing. Whipping out dirb in this instance (it is what they teach you in OSCP).

Dirb scan results

Ya know, dirb isn’t the fastest. Which made me look for something else a bit more powerful than the “easy mode” dirb. (And just forget dirbuster, too flakey for me). Enter wfuzz. Switched over to this and watched the results fly by.

Wfuzz scan results with no extensions

Hmm ok, no dice with a default wordlist with default settings. Not so easy peasey. So, let’s look at what we have: Apache webserver with URI of /cgi-bin/ , box name of Shocker, could this be Shellshock? Take a look through if you aren’t familiar, a good classic vuln, even on OWASP hitlist. So if the tool defaults didn’t work, let’s try refining our tools.

So we’re looking for CGI scripts. Referenced this site to remember how CGI worked. So looking for scripts with particular file extensions, could be .cgi or .pl. So ok, fire up the ol’ wfuzz again, let’s see.

Wfuzz scan results for .cgi files

Wfuzz scan results for .pl files

Well crap, we continue to look. Google-fu deployed, and stumbled upon this site regarding bash scripts being able to be used. So let’s try .sh filetype:

Wfuzz scan results for .sh files

Ah hah! User.sh, that’ll work. So time to fire up the exploit. I used Burpsuite Repeater for this, a bit easier than working CLI since I’m old and legally blind, GUI helps the ol’ eyes. Prepped this with a reverse bash shell payload ala Pentest Monkey’s cheatsheet.

Burpsuite payload configuration

Reverse shell connection established

Alright! We got user, onward and upwards. So let’s upload the standard Linux enumeration script via wget and a python SimpleHTTPServer. Running this, we see this snippet of interesting-ness:

LinEnum scan results

So the line of attack is to get a perl script to read the contents of the flag file and just sudo it. Easy enough to whip up:

Perl script for reading flag

Root flag contents

And that’s a wrap. Fun little box, enumeration is key. Thanks @hackthebox_eu and @mrb3n813!