Today I explore Shocker from HTB; a OSCP like box featuring a Shellshock exploitable web server. Once on the box we use
perl to escalate
sudo. I start each box by running AutoRecon (which I have mentioned several times in other articles). During the first few seconds I see
Port 80 is open so I head over to the website and see a picture of a bug.
Viewing Port 80 shows a picture of a ‘bug’.
.php extensions to gain an idea of what is running. This is just a standard
HTML page. Viewing the source I see no information or comments. Checking back to my AutoRecon results I see GoBuster has found two hits for
cgi-bin. This along with the name of the box was enough to let me know I was dealing with a ShellShock exploitable server. I would recommend reading THIS for more information.
I run another GoBuster against
.sh extensions and pointing to the
As you can see from the command above I specifically target Directories –
dir. I request it to be ‘Quiet’ and only show relevant information
-q. I put the threads (number of requests it will do)
-t 50 to 50 because time is money. Finally, I use the
-w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt to point to my word-list of choice and
-x .sh to specifically look for shell files.
-x flag to search for
.sh (shell) files.
I get a hit and use that file to test for ShellShock:
Testing Shellshock by pulling the
Seeing it works I use a Bash one-liner reverse shell to log into the box. PenTestMonkey has a great article on this (but maybe web browsers have now flagged this website unjustly) so HERE is a link to PayloadAlltheThings instead. Once I logged into the box I ran
sudo -l which should always be one of the first things to check.
It showed me that
perl could be ran as
sudo. Head over to GTFOBINS and root.
Rooting Shocker from HTB with proof.