Shocker Walkthrough

Hey folks, today we have the walkthrough of the interesting machine “Shocker” from Hack The Box, but before we get started let’s take a look at machine’s info

It’s easy, and it has a little bit of CTF techniques, so let's go…

Nmap Scan

let’s start our scan with discovering the open ports, service running on them, OS detection and other info by this options

nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56

-oG shocker.gnmap to generate gnmap file to use it in brute-forcing step

As you can see we have ssh:2222 port is open + http:80 also is open so lets I’ve searched for exploitation for these services and also try to brute-force ssh credentials but it’s fails

Web Enumeration

Now we will start to discover http:80 by accessing this link 10.10.10.56:80

you will get a blank webpage which has only this photo

after checking the source code, I have not found anything. Let’s discover the hidden directories by dirsearch/gobuster/dirbuster “Use one of them”

I’ll use gobuster → gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt you will find a bunch of interesting directories is available to brute-force on them and one of these directories is cgi-bin so let’s try again to brute-force it with extensions pi,py,pl,sh,php

gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php

As you can see we have user.sh is available, let’s get it’s content

curl 10.10.10.56/cgi-bin/user.sh

Nothing important

let’s search for the name of the machine shocker exploitation

It seems that it’s vulnerable to a vulnerability called shellshock what’s this ?

Src: https://en.wikipedia.org/wiki/Shellshock_(software_bug)

So lets search about it on metasploit

Okay we will use the first one to check of if it’s vulnerable or not then we will use the second one to exploit it if the check is true

use 0 → will let you to use the first module

/cgi-bin/user.sh is the path of the cgi-bin script which is vulnerable

As you can see it’s vulnerable, let’s use the exploitation → use 5 and then edit the options

Very good it opens the session for us, but in user priv

Let’s get the user flag and then try to get more priv

Okay, for now, put this session into the background by typing background and you will get session id

Search for a suggester module which will scan our server and get all vulnerabilities which it’s affected by

Okay it’s vulnerable to 3 vulnerabilities, I’ve used the first one and edited the options as you can see

Nice, we are root now, let's search for the root flag into /root directory