🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  • Nmap Scan
  • Web Enumeration
  1. Hack The Box Machines

Shocker Walkthrough

PreviousValentine WalkthroughNextNetmon Walkthrough

Last updated 2 years ago

Hey folks, today we have the walkthrough of the interesting machine “Shocker” from , but before we get started let’s take a look at machine’s info

It’s easy, and it has a little bit of CTF techniques, so let's go…

Nmap Scan

let’s start our scan with discovering the open ports, service running on them, OS detection and other info by this options

nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56

-oG shocker.gnmap to generate gnmap file to use it in brute-forcing step

As you can see we have ssh:2222 port is open + http:80 also is open so lets I’ve searched for exploitation for these services and also try to brute-force ssh credentials but it’s fails

Web Enumeration

Now we will start to discover http:80 by accessing this link 10.10.10.56:80

you will get a blank webpage which has only this photo

after checking the source code, I have not found anything. Let’s discover the hidden directories by dirsearch/gobuster/dirbuster “Use one of them”

I’ll use gobuster → gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt you will find a bunch of interesting directories is available to brute-force on them and one of these directories is cgi-bin so let’s try again to brute-force it with extensions pi,py,pl,sh,php

gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php

As you can see we have user.sh is available, let’s get it’s content

curl 10.10.10.56/cgi-bin/user.sh

Nothing important

let’s search for the name of the machine shocker exploitation

It seems that it’s vulnerable to a vulnerability called shellshock what’s this ?

So lets search about it on metasploit

Okay we will use the first one to check of if it’s vulnerable or not then we will use the second one to exploit it if the check is true

use 0 → will let you to use the first module

/cgi-bin/user.sh is the path of the cgi-bin script which is vulnerable

As you can see it’s vulnerable, let’s use the exploitation → use 5 and then edit the options

Very good it opens the session for us, but in user priv

Let’s get the user flag and then try to get more priv

Okay, for now, put this session into the background by typing background and you will get session id

Search for a suggester module which will scan our server and get all vulnerabilities which it’s affected by

Okay it’s vulnerable to 3 vulnerabilities, I’ve used the first one and edited the options as you can see

Nice, we are root now, let's search for the root flag into /root directory

Src:
🔐
Hack The Box
https://en.wikipedia.org/wiki/Shellshock_(software_bug)