Hack The Box: Shocker

Written By 5h3r10ck

Synopsis: Shocker was another straightforward machine with the Shellshock vulnerability. Enumeration is key to learn that it is vulnerable and then again to find that the user shelly has the ability to run perl with full system privileges.

Nmap to see what we have to work with.

Nmap to see what we have to work with.

Port 80 doesn’t show anything of significant interest.

Port 80 doesn’t show anything of significant interest.

Next step is to enumerate pages in the site. cgi-bin is of interest because it “is a folder used to house scripts that will interact with a Web browser”.

Next step is to enumerate pages in the site. cgi-bin is of interest because it “is a folder used to house scripts that will interact with a Web browser”.

Not sure why I bothered to check seeing as dirb told me it was 403.

Not sure why I bothered to check seeing as dirb told me it was 403.

Enumerating further with gobuster and a wordlist we locate a bunch of different scripts. “user.sh” is of particular interest especially since its the only one can get to. Some research points us to this machine possibly being vulnerable to shellshock!

Enumerating further with gobuster and a wordlist we locate a bunch of different scripts. “user.sh” is of particular interest especially since its the only one can get to. Some research points us to this machine possibly being vulnerable to shellshock!

This exploit seem to fit our needs

This exploit seem to fit our needs

Alittle more research confirms that this should work!

Alittle more research confirms that this should work!

Set up msf with all of the appropriate information and we are in!

Set up msf with all of the appropriate information and we are in!

The user flag is there for the taking without any privilege escalation. The same cant be said for the root flag however.

The user flag is there for the taking without any privilege escalation. The same cant be said for the root flag however.

sudo -l is always one of the first things I look for when trying to escalate privileges. Happily shelly can run perl with impunity. Lets use that to create a root shell.

sudo -l is always one of the first things I look for when trying to escalate privileges. Happily shelly can run perl with impunity. Lets use that to create a root shell.

boom

boom

Capture.PNG
5h3r10ck
Previous

Hack The Box: Sunday
Next

Hack The Box: Legacy