Shocker
OS: Linux, Difficulty: Easy, IP: 10.10.10.56
PSA
Before starting any HTB Box, please be sure that you have your HTB VPN turned on. Unlike me, you won't have to waste 2hrs scanning ports using nmap and bust your head thinking that is this box protected by some kind of magical firewall xD.
Initial Enumeration
Nmap scan for basic ports
Detailed scan of the open ports
Peculiar thing to note is that the SSH port has been moved to 2222
rather than the usual 22
User Own
Running dirb
on the http server
first got us a directory, cgi-bin
, and running dirb
again fetched us a file named user.sh
The file displayed uptime information of the server. After some research and going by the name of the box I was very positive that this may involve shellshocking.
I found a tool online to automate the job - https://github.com/nccgroup/shocker
This got me a reverse bash shell on my machine and I was able to cat
the flag.
Root Own
Running sudo -l
on the machine mentioned that I can run /usr/bin/perl
as root without password.
I went over to GTFOBins and found that I can run a shell using perl.
This got a me a root shell and hence the root flag.
Learning Outcome
I had never heard of Shell-shock on the web-server ever before so I learnt something new.
Last updated
Was this helpful?