# HackTheBox - Shocker - 10.10.10.56

Shocker is a 20 point easy linux machine on hackthebox.eu that requires you to exploit an http shellshock vulnerability and then use a sudo NOPASSWD perl command to gain a reverse shell as the root user.

## 1. Recon

To start this box off we will do an nmap scan of the target machine, 10.10.10.56 nmap -sC -sV -oA nmap/shocker-init 10.10.10.56

Seeing as though there is nothing of intrest here, let’s run a gobuster scan on the webpage

### The /cgi-bin/ Directory

Bingo, we got a hit for the cgi-bin directory, this directory usually contains script files, and any files you place in it will be treated as programs, and will be executed by the server instead of displayed. So let’s fuzz for scripts with .pl and .sh extensions.

## 2. Exploitation

Nice, we got a script, user.sh, after some reaserch and manual enum, the box’s apache webserver seems like it would be vulnerable to this exploit, let’s download it from exploitdb.

This is the script’s usage:

So our command will be:

## Privilege Escalation to Root

The root priv esc is very easy as we can run /usr/bin/perl using sudo with no password, so we can use the following command from this gtfobins page to excute bash commands using perl as root and ultimately get us a reverse shell as root.

Now for the reverse shell we will use the bash one listed here on my Notes page combined with the perl command from gtfobins.

Our command should look something like this, you should also have a netcat listner setup on the port you use in your reverse shell command.

### Root Flag

Pwned!

If you enjoyed my write up or found it useful consider +repping my htb profile linked below:

Categories:

Updated: