Shocker

This is my write-up for the machine called Shocker on the Hack The Box website located at: https://app.hackthebox.com/machines/Shocker.

info

I am a beginner at penetration testing, so I will be referencing the Official Hack The Box Walk-through for this machine.

nmap scan (basic):

From the basic scan, we can see that http and another service are running. Running a deeper nmap scan (sudo nmap -T4 -A -v -sS 10.10.10.56 -oN shocker.nmap) shows the same ports being open:

On the main page of the website, we see the following:

The source code doesn't seem to give away much:

At this point, after multiple gobuster and feroxbuster runs, I had to see what I missed in the write-up. What I had missed was running DirBuster with the wordlist of directory-list-lowercase-2.3-medium.txt and with the extensions of cgi​, sh, pl​, py. This got me the following file:

Downloading that file, and reading its contents provides us with the following:

Going back to the write-up, we are able to see that this is a shellshock exploit, and there is a module on Metasploit. I was able to find it on Metasploit:

I was able to get a shell after filling in the information:

Looking in the user directory, I was able to get the user.txt flag:

With the shell in meterpreter, I was unable to run the commands that I wanted to run. I then found https://www.exploit-db.com/exploits/34900 with the recommendation from the write-up. I was then able to get a reverse shell on the system:

Now when I run sudo -l, I can see what commands my user is able to run as root:

Going to GTFOBins, we can see the following for perl:

Running that command, I was able to get root:

I was then able to get the flag for root as well (the connection was a bit laggy):