Shocker Walkthrough
Hey folks, today we have the walkthrough of the interesting machine âShockerâ from Hack The Box, but before we get started letâs take a look at machineâs info

Itâs easy, and it has a little bit of CTF techniques, so let's goâŠ
Nmap Scan
letâs start our scan with discovering the open ports, service running on them, OS detection and other info by this options
nmap -A -T4 -oG -O shocker.gnmap 10.10.10.56
-oG shocker.gnmap
to generategnmap
file to use it in brute-forcing step

As you can see we have ssh:2222
port is open + http:80
also is open so lets Iâve searched for exploitation for these services and also try to brute-force ssh credentials but itâs fails
Web Enumeration
Now we will start to discover http:80
by accessing this link 10.10.10.56:80
you will get a blank webpage which has only this photo

after checking the source code, I have not found anything. Letâs discover the hidden directories by dirsearch/gobuster/dirbuster
âUse one of themâ
Iâll use gobuster
â gobuster -u 10.10.10.56 -w /usr/share/dirb/wordlists/common.txt
you will find a bunch of interesting directories is available to brute-force on them and one of these directories is cgi-bin
so letâs try again to brute-force it with extensions pi,py,pl,sh,php
gobuster -u 10.10.10.56/cgi-bin -w /usr/share/dirb/wordlists/common.txt -x pi,py,pl,sh,php

As you can see we have user.sh
is available, letâs get itâs content
curl 10.10.10.56/cgi-bin/user.sh

Nothing important
letâs search for the name of the machine shocker exploitation


It seems that itâs vulnerable to a vulnerability called shellshock
whatâs this ?
So lets search about it on metasploit

Okay we will use the first one to check of if itâs vulnerable or not then we will use the second one to exploit it if the check is true
use 0
â will let you to use the first module

/cgi-bin/user.sh
is the path of thecgi-bin
script which is vulnerable
As you can see itâs vulnerable, letâs use the exploitation â use 5
and then edit the options

Very good it opens the session for us, but in user priv

Letâs get the user flag and then try to get more priv

Okay, for now, put this session into the background by typing background
and you will get session id
Search for a suggester module which will scan our server and get all vulnerabilities which itâs affected by


Okay itâs vulnerable to 3 vulnerabilities, Iâve used the first one and edited the options as you can see

Nice, we are root now, let's search for the root flag into /root
directory

Last updated