Shocker Walkthrough
Hey folks, today we have the walkthrough of the interesting machine βShockerβ from Hack The Box, but before we get started letβs take a look at machineβs info

Itβs easy, and it has a little bit of CTF techniques, so let's goβ¦
Nmap Scan
letβs start our scan with discovering the open ports, service running on them, OS detection and other info by this options
nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56
-oG shocker.gnmap
to generategnmap
file to use it in brute-forcing step

As you can see we have ssh:2222
port is open + http:80
also is open so lets Iβve searched for exploitation for these services and also try to brute-force ssh credentials but itβs fails
Web Enumeration
Now we will start to discover http:80
by accessing this link 10.10.10.56:80
you will get a blank webpage which has only this photo

after checking the source code, I have not found anything. Letβs discover the hidden directories by dirsearch/gobuster/dirbuster
βUse one of themβ
Iβll use gobuster
β gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt
you will find a bunch of interesting directories is available to brute-force on them and one of these directories is cgi-bin
so letβs try again to brute-force it with extensions pi,py,pl,sh,php
gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php

As you can see we have user.sh
is available, letβs get itβs content
curl 10.10.10.56/cgi-bin/user.sh

Nothing important
letβs search for the name of the machine shocker exploitation


It seems that itβs vulnerable to a vulnerability called shellshock
whatβs this ?
So lets search about it on metasploit

Okay we will use the first one to check of if itβs vulnerable or not then we will use the second one to exploit it if the check is true
use 0
β will let you to use the first module

/cgi-bin/user.sh
is the path of thecgi-bin
script which is vulnerable
As you can see itβs vulnerable, letβs use the exploitation β use 5
and then edit the options

Very good it opens the session for us, but in user priv

Letβs get the user flag and then try to get more priv

Okay, for now, put this session into the background by typing background
and you will get session id
Search for a suggester module which will scan our server and get all vulnerabilities which itβs affected by


Okay itβs vulnerable to 3 vulnerabilities, Iβve used the first one and edited the options as you can see

Nice, we are root now, let's search for the root flag into /root
directory

Last updated