Shocker
Personal Rating: Easy
Enumeration
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Wappalyzer shows php being used. Running a directory scan against the page:
feroxbuster -u http://10.10.10.56/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -C 404 -x php
I should create a wordlist that contains all specialized wordlists of the Web-Content directory. This way I can find application-specific web dirs better and quicker. This was found by feroxbuster:
This tells me that there is likely a cgi script that I can attack. I will fuzz for it:
feroxbuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -C 404
feroxbuster -u http://10.10.10.56/cgi-bin/ -C 404 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x cgi
This article that I found when searching for cgi-bin recommends to use nikto, so I did:
nikto -C all -host 10.10.10.56
This yielded nothing useful and I must admit this was the first time using nikto for me.
I read a tip that cgi scripts can be found in all scripting languages, so I will do another fuzz with more extensions.
feroxbuster -u http://10.10.10.56/cgi-bin/ -C 404 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x cgi php sh js pl rb py
Shellshock Exploit
Since the box is called shocker, I will try to look for shellshock, as this is commonly abused with CGI scripts for os command injection.
Since the content type is given here, that might be where I have to inject:
This request worked directly to get a shell:
Internal Enumeration
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
sudo -l shew that privesc would be easy:
(root) NOPASSWD: /usr/bin/perl
Privilege Escalation
I could not write files:
This worked to get a root shell:
perl -e 'exec "/bin/sh";'
Last updated