HacktheBox — Shocker

The ip address of the retired machine is 10.10.10.56

Ran nmap with below options:

nmap -sC -sV -oA nmap_output

Observe there is an 80 port open, let’s visit the 80 port on the page.

Observe the home web page say a bug and also the machine name is shocker, so I guessed it has to do something with shellshock.

I ran dirbuster and there is cgi-bin, but 403 error.

So ran dirbuster on cgi-bin with below options, such as file extension as sh, because we need to run some command with the script.

Observe the user.sh is 200 response,

Use below shocker.py file present in the below github link:

open a netcat listener on the attacker machine and run the shocker.py for reverse connection.

observe we got shell, let’s see any sudo programs being run.

observe shell user can run perl with sudo permissions, so open shell with perl so that shell will run with room eid.

yaay! and we got root privileges as seen in the above image by running :

Perl to execute bin/bash with -e option.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu