Hacksudo Thor is a basic machine from Vulnhub. This is probably the easiest machine from the hacksudo series that I recommend to beginners. And, I tested the machine in VirtualBox. “Hacksudo Thor Walkthrough – Vulnhub”
Link to the machine: https://www.vulnhub.com/entry/hacksudo-thor,733/
Identify the target
Firstly, we have to identify the target machine. For this, we must make sure that the attacking and the target machine are on the same network (either bridged or NAT (I prefer NAT)).
sudo netdiscover -r 10.0.0.0/24
Scan open ports
Next, we have to check the exposed services on the target.
sudo nmap -v -T4 -p- -A -oN nmap.log 10.0.0.5
Here, we see that only the HTTP port is worth enumerating further.
Enumerate the webserver
The default page didn’t give me anything. It has a form that doesn’t suffer SQL injection.
However, we can see a comment in the source of the News page that we can visit using the link. It says cgi-bin.
This hints that this apache server might suffer from shellshock vulnerability. For more information, check the following file.
It requires a shell script to be present on the machine. I guessed the filename to be shell.sh. But, we can test that using dirb.
dirb http://10.0.0.5/cgi-bin -X .sh
One point to note though, the tool gobuster doesn’t capture status code 500 by default. So, it won’t detect this file because this gives 500 by default.
Shellshock vulnerability has a Metasploit module.
Now, we have to set options. Furthermore, I don’t like the console of the Metasploit framework. So, I am also listening on port 9001 using netcat.
nc -nlvp 9001
Then, I spawned a reverse shell in the port that I am listening, i.e. 9001.
Next, I upgraded the shell. Check the following link for more information.
Privilege escalation to user
When we check the sudo permissions of a current user, we find that it can execute a script.
We can see that the user can execute a script as another user thor. Furthermore, the script suffers from code execution.
sudo -u thor /home/thor/./hammer.sh
This means that we can get the shell access of the user thor by using ‘bash’ as the input.
Now, we can simply make it better by using the following command.
SHELL=/bin/bash script -q /dev/null
Root privilege escalation
Finally, we come to the part where we can get root access. This is also quite simple. If we check the sudo permissions of the user thor, we see a binary that he can execute as root.
This can lead us to RPE.
sudo service ../../bin/bash