Sitemap

HackTheBox: Shocker Walkthrough

3 min readFeb 19, 2020

Shellshock was one of the most famous vulnerabilities of the last decade, if not ever. The vulnerability existed because of how bash interpreted the specific string “() { : ; };”. Using this string, a user could inject any command they wanted. Shocker provides an easy machine to demonstrate this ability, so let’s get into it.

Enumeration

As always, I began with a staged port scan:

This revealed a web server with ssh enabled. Pretty standard stuff. I decided to run gobuster and visit the webpage to enumerate further after this:

Gobuster initially revealed nothing, but running it again with the --addslash flag revealed much more. After that, I searched within cgi-bin for potential scripts that could be publicly accessible. I found a script called user.sh, which is interesting.

Visiting the website yielded nothing of interest.

Back to the script I found. Its existence, in combination with the version of Apache discovered in the nmap scan, indicates there’s a high probability that this server is vulnerable to Shellshock.

I decided to try to exploit that.

Exploitation

To validate my hypothesis that this server was vulnerable to shellshock, I ran a simple curl statement that would, if vulnerable, return “hello”. Here’s what that looked like:

Notes about the command: -H set the User-Agent header to “() { :; }; echo Content-Type: text/html; echo; echo “hello” “. The first part is obviously the famous Shellshock command. The second part, “echo Content-Type: text/html”, makes the output human-readable via curl. The third part is required for running the exploit against Apache and simply prints a blank line. The last part is the command we want to run. Moving on.

The curl statement return hello, which is exactly what we wanted.

Now to exploit the vulnerability, I simply created a reverse shell and caught it with netcat, which went like this:

Got a shell. Now time for some internal enumeration and privesc.

Internal Enumeration and Privilege Escalation

For this box, only basic enumeration was necessary. I grabbed the OS version. user information, and sudo permissions.

Shelly can run perl scripts as root. The path to root is obvious now, and looks like this:

So that’s it!

This box was an easy boot-to-root and a great medium for learning a bit of computer science history. Until next time!

--

--

Matt Johnson
Matt Johnson

Written by Matt Johnson

Freelance cybersecurity consultant based in Düsseldorf, Germany.

No responses yet