HackTheBox: Shocker Walkthrough

3 min readFeb 19, 2020

Shellshock was one of the most famous vulnerabilities of the last decade, if not ever. The vulnerability existed because of how bash interpreted the specific string “() { : ; };”. Using this string, a user could inject any command they wanted. Shocker provides an easy machine to demonstrate this ability, so let’s get into it.

Enumeration

As always, I began with a staged port scan:

This revealed a web server with ssh enabled. Pretty standard stuff. I decided to run gobuster and visit the webpage to enumerate further after this:

Gobuster initially revealed nothing, but running it again with the --addslash flag revealed much more. After that, I searched within cgi-bin for potential scripts that could be publicly accessible. I found a script called user.sh, which is interesting.

Visiting the website yielded nothing of interest.

Back to the script I found. Its existence, in combination with the version of Apache discovered in the nmap scan, indicates there’s a high probability that this server is vulnerable to Shellshock.

I decided to try to exploit that.

Exploitation

To validate my hypothesis that this server was vulnerable to shellshock, I ran a simple curl statement that would, if vulnerable, return “hello”. Here’s what that looked like:

Notes about the command: -H set the User-Agent header to “() { :; }; echo Content-Type: text/html; echo; echo “hello” “. The first part is obviously the famous Shellshock command. The second part, “echo Content-Type: text/html”, makes the output human-readable via curl. The third part is required for running the exploit against Apache and simply prints a blank line. The last part is the command we want to run. Moving on.

The curl statement return hello, which is exactly what we wanted.

Now to exploit the vulnerability, I simply created a reverse shell and caught it with netcat, which went like this:

Got a shell. Now time for some internal enumeration and privesc.

Internal Enumeration and Privilege Escalation

For this box, only basic enumeration was necessary. I grabbed the OS version. user information, and sudo permissions.

Shelly can run perl scripts as root. The path to root is obvious now, and looks like this:

So that’s it!

This box was an easy boot-to-root and a great medium for learning a bit of computer science history. Until next time!

Written by Matt Johnson

11 Followers

Freelance cybersecurity consultant based in Düsseldorf, Germany.

Recommended from Medium

CozyHosting | HackTheBox HTB Seasonal Writeup Walkthrough

@AnderAttacks

CozyHosting | HackTheBox HTB Seasonal Writeup Walkthrough

Hey! Let’s start by adding provided IP to our hosts

3 min readSep 4

Mohit Jakhar

Blue (Eternal Blue) - TryHackMe CTF

Walk-through on the CTF challenge “BLUE” or “Eternal Blue” on TryHackMe. You can access this room from…

4 min readSep 17

Lists

Staff Picks

456 stories300 saves

Stories to Help You Level-Up at Work

19 stories226 saves

Self-Improvement 101

20 stories616 saves

Productivity 101

20 stories569 saves

Imène ALLOUCHE

Hack The Box CozyHosting Writeup

Released By : Imène ALLOUCHE

8 min readSep 9

Pradip Dey (Bunny)

CozyHosting (HackTheBox) Writeup

The “CozyHosting” machine is created by “commandercool”. This is an easy machine with a strong focus on web application security…

5 min readSep 16

@Subhankar Paul

HackTheBox : Jupiter

Intro: This is my new writeup on HackTheBox ‘Machine’ Jupiter. It is little difficult free machine. Here you will find Command Injection…

7 min readJun 25

Mr Jokar
in
System Weakness

“Inception” WriteUp | HackThebox | Proxychain and Chisel to Pivot

Summary : This machine requires a known software’s LFI exploit that leads to clear text credential to webdav exploit. Then we get a…

14 min readMar 30

See more recommendations

Help
Status
Writers
Blog
Careers
Privacy
Terms
About
Text to speech
Teams