Shocker Walkthrough

Hey folks, today we have the walkthrough of the interesting machine โ€œShockerโ€ from Hack The Box, but before we get started letโ€™s take a look at machineโ€™s info

Itโ€™s easy, and it has a little bit of CTF techniques, so let's goโ€ฆ

Nmap Scan

letโ€™s start our scan with discovering the open ports, service running on them, OS detection and other info by this options

nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56

-oG shocker.gnmap to generate gnmap file to use it in brute-forcing step

As you can see we have ssh:2222 port is open + http:80 also is open so lets Iโ€™ve searched for exploitation for these services and also try to brute-force ssh credentials but itโ€™s fails

Web Enumeration

Now we will start to discover http:80 by accessing this link 10.10.10.56:80

you will get a blank webpage which has only this photo

after checking the source code, I have not found anything. Letโ€™s discover the hidden directories by dirsearch/gobuster/dirbuster โ€œUse one of themโ€

Iโ€™ll use gobuster โ†’ gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt you will find a bunch of interesting directories is available to brute-force on them and one of these directories is cgi-bin so letโ€™s try again to brute-force it with extensions pi,py,pl,sh,php

gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php

As you can see we have user.sh is available, letโ€™s get itโ€™s content

curl 10.10.10.56/cgi-bin/user.sh

Nothing important

letโ€™s search for the name of the machine shocker exploitation

It seems that itโ€™s vulnerable to a vulnerability called shellshock whatโ€™s this ?

Src: https://en.wikipedia.org/wiki/Shellshock_(software_bug)

So lets search about it on metasploit

Okay we will use the first one to check of if itโ€™s vulnerable or not then we will use the second one to exploit it if the check is true

use 0 โ†’ will let you to use the first module

/cgi-bin/user.sh is the path of the cgi-bin script which is vulnerable

As you can see itโ€™s vulnerable, letโ€™s use the exploitation โ†’ use 5 and then edit the options

Very good it opens the session for us, but in user priv

Letโ€™s get the user flag and then try to get more priv

Okay, for now, put this session into the background by typing background and you will get session id

Search for a suggester module which will scan our server and get all vulnerabilities which itโ€™s affected by

Okay itโ€™s vulnerable to 3 vulnerabilities, Iโ€™ve used the first one and edited the options as you can see

Nice, we are root now, let's search for the root flag into /root directory

PreviousValentine WalkthroughNextNetmon Walkthrough

Last updated