Shocker Walkthrough
Hey folks, today we have the walkthrough of the interesting machine βShockerβ from Hack The Box, but before we get started letβs take a look at machineβs info
Itβs easy, and it has a little bit of CTF techniques, so let's goβ¦
Nmap Scan
letβs start our scan with discovering the open ports, service running on them, OS detection and other info by this options
nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56
-oG shocker.gnmapto generategnmapfile to use it in brute-forcing step
As you can see we have ssh:2222 port is open + http:80 also is open so lets Iβve searched for exploitation for these services and also try to brute-force ssh credentials but itβs fails
Web Enumeration
Now we will start to discover http:80 by accessing this link 10.10.10.56:80
you will get a blank webpage which has only this photo
after checking the source code, I have not found anything. Letβs discover the hidden directories by dirsearch/gobuster/dirbuster βUse one of themβ
Iβll use gobuster β gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt you will find a bunch of interesting directories is available to brute-force on them and one of these directories is cgi-bin so letβs try again to brute-force it with extensions pi,py,pl,sh,php
gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php
As you can see we have user.sh is available, letβs get itβs content
curl 10.10.10.56/cgi-bin/user.sh
Nothing important
letβs search for the name of the machine shocker exploitation
It seems that itβs vulnerable to a vulnerability called shellshock whatβs this ?
So lets search about it on metasploit
Okay we will use the first one to check of if itβs vulnerable or not then we will use the second one to exploit it if the check is true
use 0 β will let you to use the first module
/cgi-bin/user.shis the path of thecgi-binscript which is vulnerable
As you can see itβs vulnerable, letβs use the exploitation β use 5 and then edit the options
Very good it opens the session for us, but in user priv
Letβs get the user flag and then try to get more priv
Okay, for now, put this session into the background by typing background and you will get session id
Search for a suggester module which will scan our server and get all vulnerabilities which itβs affected by
Okay itβs vulnerable to 3 vulnerabilities, Iβve used the first one and edited the options as you can see
Nice, we are root now, let's search for the root flag into /root directory
Last updated