Joshua Cruz

Hack The Box :: Shocker

September 02, 2019

Shocker info card

Quick Summary

Shocker is an easy Linux machine box thats based on the shellshock exploit. Named after the Shellshock exploit, the exploit is known as a backdoor vulnerability utilizes the Unix Bash shell. It simply enables an attacker to cause Bash to execute Arbitrary Code Execution (ACE)

Nmap

Start with an active reconnasissance on the targeted machine. We use nmap to scan for open ports on the machine.

nmap

Interesting enough, we only see 2 open ports:

Port 80

Visiting port 80 through firefox we are shown an image with a text display “Don’t Bug Me”.

metasploit

This image confuses me because I’m clueless what this could mean. I did check the source of the webpage but nothing unveiling was on there. I also checked the robots.txt

gobuster

Because there was no other additional information, I decided to use gobuster to brute-force for any additional directories or files.

gobuster

With some luck, we got a few hits. The one that stood out to me the most was the /cgi-bin/ directory. You may be asking why does that specifically raise a concern for me. Well, the cgi-bin is known to enable the execution of scripts by a web server. This co-relates to the Shellshock exploit.

dirb

After gobuster informed us that there is a /cgi-bin/ directory, we can use dirb to see if there are any scripts on the web server we can take advantage of.

dirb

Dirb was able to find a user.sh file within the /cgi-bin/ folder. Here we can easily use the Shellshock exploit to gain backdoor access to the system.

Metasploit

Here, I ended up using Metasploit to do the dirty work for us. I was able to find a Shellshock exploit to gain a reverse shell.

exploit

As you can see we set the arguments to be able to exploit the box:

And there you go! We have access to the system

User Flag

There we can see the user.sh file we initially used to gain backdoor access to the system. I look in the home folder to see if there is anything to take note of, and was able to see a user name shelly.

user flag

Going into shelly’s folder we can the user.txt file. Cating that file we are givent he user flag

Root Flag

Sadly, I’m currently unable to gain root access of the machine. I will update this section when I get root privileges and able to obtain the root flag.

Conlusion

This box was a very interesting box. Being able to utilize the Shellshock exploit and gain backdoor access was very cool. We were able to use a few additional security tools to gain more information about missing directories and files.

As usual, now that we pwned this box (sort of), we can then move onto another box. You can expect a write-up for Netmon next.