Sign in Subscribe
cgi-bin

HTB - Shocker

sueks

3 min read

Here is Shocker. Fairly straightforward since the name literally tells you what the box is vulnerable to. Regardless a great box to reinforce some basic concepts such as enumeration, enumerating strange directories and learning more about what the heck /cgi-bin/ is and what it’s capable of.

In a nutshell we find two open ports, a web server and an SSH service running on an unusual port. When we visit the webpage we get a picture of something that doesn’t really help us. Through basic enumeration we find the /cgi-bin/ directory and enumerate that further. We find a script running on the host machine and exploit the machine because it is vulnerable to Shellshock (surprise). The privesc is simple enough, with a quick GTFO bins execute we are root.

As for the OSCP what did this box teach me:

  1. Don’t ignore /cgi-bin/
  2. Enumerate extensions
  3. Always check sudo -l

Let’s go!

Walkthrough

Shockers IP address is `10.10.10.56

A basic nmap scan returns:

nmap -sC -sV -Pn -oA nmap/initial 10.10.10.56

First step here was to visit that webserver to see if there was anything interesting there:

Not really…

So our next step was to enumerate the directories on the webserver and see if we get a clue as to what is going on.

I used gobuster for this with a command of:

gobuster dir -u http://10.10.10.56 0w /usr/share/seclists/Discovery/Web-Content/common.txt -z -e

I like the common.txt here because I find it keeps the noise to a minimum and the scans complete much quicker. In a test environment, I would use common.txt followed by something more robust such as a raft or directory-list-medium

Note the /cgi-bin/ directory, good idea to check this one further. Especially for shellshock.

And lucky us there is a /user.sh script running. When we visit the directory on the webserver we are asked to download the file. So I downloaded it and looked at the output. It seems to be a script that keeps track of the time a user spends logged in:

Because I am bit familiar with shellshock and knowing that it affects scripts in the /cgi-bin/ directory I use trusty old nmap to see if its vulnerable

Perfect! To google it is. I search for shellshock exploits and come across this nice little one liner.

I remove the cat /etc/passwd and put in my one liner reverse shell
Works on the first try! I get a callback from my listener but I am only a low-priv user. I check my permissions with sudo -l and see I can perl as root. A quick search on GTFOBins and a simple execute is all it takes to get root.

All in all, straightforward to the point. Helps reinforce some basic concepts.

Sign up for more like this.

Enter your email
Subscribe