# Shocker Walkthrough

Hey folks, today we have the walkthrough of the interesting machine “Shocker” from [Hack The Box](https://www.hackthebox.eu/), but before we get started let’s take a look at machine’s info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*S791RYJ3UC2zHF8DzsXP6g.png" alt=""><figcaption></figcaption></figure>

It’s easy, and it has a little bit of CTF techniques, so let's go…

## **Nmap Scan**

let’s start our scan with discovering the open ports, service running on them, OS detection and other info by this options

`nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56`

> `-oG shocker.gnmap` to generate `gnmap` file to use it in brute-forcing step

<figure><img src="https://cdn-images-1.medium.com/max/800/1*yiDYPmyL2ACRympfD0ZSgg.png" alt=""><figcaption></figcaption></figure>

As you can see we have `ssh:2222` port is open + `http:80` also is open so lets I’ve searched for exploitation for these services and also try to brute-force ssh credentials but it’s fails

## **Web Enumeration**

Now we will start to discover `http:80` by accessing this link `10.10.10.56:80`

you will get a blank webpage which has only this photo

<figure><img src="https://cdn-images-1.medium.com/max/800/1*45G6WWCdP65NKN53LBcDPA.png" alt=""><figcaption></figcaption></figure>

after checking the source code, I have not found anything. Let’s discover the hidden directories by `dirsearch/gobuster/dirbuster` “Use one of them”

I’ll use `gobuster` → `gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt` you will find a bunch of interesting directories is available to brute-force on them and one of these directories is `cgi-bin` so let’s try again to brute-force it with extensions `pi,py,pl,sh,php`

`gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*XA47TEbT1jv4rmkIcZg1Gw.png" alt=""><figcaption></figcaption></figure>

As you can see we have `user.sh` is available, let’s get it’s content

`curl 10.10.10.56/cgi-bin/user.sh`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*W_tu2GHKRTYAonmB0Ndwew.png" alt=""><figcaption></figcaption></figure>

Nothing important

let’s search for the name of the machine `shocker exploitation`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*_vwwUuWodun9PSzwt8W2_w.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*QcHYUGx2IZ7MeJOFQ8dduA.png" alt=""><figcaption></figcaption></figure>

It seems that it’s vulnerable to a vulnerability called `shellshock` what’s this ?

<figure><img src="https://cdn-images-1.medium.com/max/800/1*KJr8rp3PtgDzi9YDm-90kA.png" alt=""><figcaption><p>Src: <a href="https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29">https://en.wikipedia.org/wiki/Shellshock_(software_bug)</a></p></figcaption></figure>

So lets search about it on `metasploit`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*odtOhMxzXl0t4d_T78Xiwg.png" alt=""><figcaption></figcaption></figure>

Okay we will use the first one to check of if it’s vulnerable or not then we will use the second one to exploit it if the check is true

`use 0` → will let you to use the first module

<figure><img src="https://cdn-images-1.medium.com/max/800/1*_NUgil3GgQucEZ6TuRqfSg.png" alt=""><figcaption></figcaption></figure>

> `/cgi-bin/user.sh` is the path of the `cgi-bin` script which is vulnerable

As you can see it’s vulnerable, let’s use the exploitation → `use 5` and then edit the options

<figure><img src="https://cdn-images-1.medium.com/max/800/1*_Z9cRyIRU4ZpyEVuHZ7_RQ.png" alt=""><figcaption></figcaption></figure>

Very good it opens the session for us, but in user priv

<figure><img src="https://cdn-images-1.medium.com/max/800/1*HxhW9f91ict-026OLPZhpA.png" alt=""><figcaption></figcaption></figure>

Let’s get the user flag and then try to get more priv

<figure><img src="https://cdn-images-1.medium.com/max/800/1*OUy9ZznSVdhfam5TgA8fww.png" alt=""><figcaption></figcaption></figure>

Okay, for now, put this session into the background by typing `background` and you will get session id

Search for a suggester module which will scan our server and get all vulnerabilities which it’s affected by

<figure><img src="https://cdn-images-1.medium.com/max/800/1*vYlWnI-VcAkBUNL8iWZPSA.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*WnGYrThyTwYhK22YjAJt0w.png" alt=""><figcaption></figcaption></figure>

Okay it’s vulnerable to 3 vulnerabilities, I’ve used the first one and edited the options as you can see

<figure><img src="https://cdn-images-1.medium.com/max/800/1*DEslmxkty9Ibtvb-SUE1MA.png" alt=""><figcaption></figcaption></figure>

Nice, we are root now, let's search for the root flag into `/root` directory

<figure><img src="https://cdn-images-1.medium.com/max/800/1*2mI9slSlyObazUzIUOnjCQ.png" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/hack-the-box-machines/shocker-walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.