Hack The Box: Shocker Walkthrough without Metasploit

SHOCKER

Shocker is rated easy among other boxes on htb, However, for me it was a great learning.

So, lets learn some “shocking exploitation” without metasploit.

Machine: Shocker
OS: Linux
IP: 10.10.10.56

Enumeration

A simple bash script that uses Nmap to enumerate the host.

Don’t forget to give executable permission to the script.

chmod +x en.sh

en.sh

Results

Enumeration Results

Points to Consider

  1. Website may be hosted on port 80. Apache → 2.4.18 (http)
  2. ssh on 2222. OpenSSH → 7.2p2 (can use user enum)

Let’s visit the site.

http://10.10.10.56

Don’t know what “Don’t Bug Me!” means… or if it means anything at all…

Let’s Enumerate more using Dirbuster.

Dirbuster

Set number of threads to 20,30 or more, depending on your machine’s hardware.

For file with list of dirs/files, Go to Browse and select the path “/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt”

One can use any other list as per their wish , i am using the one mentioned above.

It is a good habit to set the file extension, whenever dirbuster is used.

here it will look for .php files, .py files, .sh files, .txt files , .perl files inside of directories.

Dirbuster Result

Umm…. .sh file can be seen… (told’ya it is a good habit)

Let’s Download and see if we have anything inside it. Also it is found under cgi-bin.

user.sh

arggggghhh!!! No clues.

As we have found only two directories from our Dirbuster Result, cgi-bin and icons.

Literally no Idea at this point what is cgi-bin and icons is about… but, what is known is that there is a directory called cgi-bin and shell(.sh) file inside it, also the icons directory. Have seen .sh scripts as bash scripts previously.

Let’s see what the internet has to say…

Shellshock

ohhhh, So that is why this machine is called Shellshock, Interesting…

Let’s see what exploit we have on the word Shellshock.

Searchsploit Result

I got many things, however, i was confused between the two

  1. Bash — ‘Shellshock’ Environment Variables Command Injection
  2. Bash CGI — ‘Shellshock’ Remote Command Injection (Metasploit)

As we are doing this without metasploit , I chose the first.

Tried to find out the CVE from the path and searched.

CVE: 2014–6271

Exploitation

Found one Repository showing one liners to exploit the flaw, modified the first one using the reverse shell cheat sheet from pentestmonkey.

payload

Before firing the payload, Run Netcat in listening mode on port 1234, as in the above payload the port is set to 1234.

user-shelly

We got the exploit right and we have the user shell.

user.txt

We got the user.txt flag, we have to find root.txt flag now.

At this point, some privilege escalation techniques should be applied to get root access..

Got to learn that first command after “whoami” must be “sudo -l” whenever access is gained.

sudo -l is used to check what sudo rights the users has.

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

Shelly user has the permission to access perl command as root.

So i found one liner again to gain root access after searching on internet.

Sudo perl -e ‘exec “/bin/bash”;’

Hey there, Root

Let’s get the root.txt flag

root.txt

Thank you for finding me helpful.

Please click on clap button if you learn anything new today.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store