Here is Shocker. Fairly straightforward since the name literally tells you what the box is vulnerable to. Regardless a great box to reinforce some basic concepts such as enumeration, enumerating strange directories and learning more about what the heck /cgi-bin/ is and what it’s capable of.
In a nutshell we find two open ports, a web server and an SSH service running on an unusual port. When we visit the webpage we get a picture of something that doesn’t really help us. Through basic enumeration we find the /cgi-bin/ directory and enumerate that further. We find a script running on the host machine and exploit the machine because it is vulnerable to Shellshock (surprise). The privesc is simple enough, with a quick GTFO bins execute we are root.
As for the OSCP what did this box teach me:
- Don’t ignore /cgi-bin/
- Enumerate extensions
- Always check
Shockers IP address is `10.10.10.56
A basic nmap scan returns:
nmap -sC -sV -Pn -oA nmap/initial 10.10.10.56
First step here was to visit that webserver to see if there was anything interesting there:
So our next step was to enumerate the directories on the webserver and see if we get a clue as to what is going on.
I used gobuster for this with a command of:
gobuster dir -u http://10.10.10.56 0w /usr/share/seclists/Discovery/Web-Content/common.txt -z -e
I like the
common.txt here because I find it keeps the noise to a minimum and the scans complete much quicker. In a test environment, I would use
common.txt followed by something more robust such as a
Note the /cgi-bin/ directory, good idea to check this one further. Especially for shellshock.
And lucky us there is a
/user.sh script running. When we visit the directory on the webserver we are asked to download the file. So I downloaded it and looked at the output. It seems to be a script that keeps track of the time a user spends logged in:
Because I am bit familiar with shellshock and knowing that it affects scripts in the /cgi-bin/ directory I use trusty old nmap to see if its vulnerable
Perfect! To google it is. I search for shellshock exploits and come across this nice little one liner.
All in all, straightforward to the point. Helps reinforce some basic concepts.