# Shocker ## Shocker - 10.10.10.56 ### Target Enumeration: OS: Linux IP: 10.10.10.56 User: 2ec24e11320026d1e70ff3e16695b233 Root: 52c2715605d70c7619030560dc1ca467 ### Ports / Services / Software Versions Running 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) ### Vulnerability Exploited: Shellshock ### Privilege Escalation: User can execute perl as root. ### Exploiting the host Nmap ![](https://lh5.googleusercontent.com/_Y2GTSELrqGQGedfmxtDJWxp3sqZ1fUj9Za-nt8YWoIufCKckqwEpUZvX9Jl5yWUf3aHj2BcgqboRD2f6Rl0S7syCMC7oaHMIQp5z1rzwjZDUVQXkWcgTMu3yd73q-GzWlDxstIg) Webapp reveals little and nothing hidden in the image. Dirb revealed only cgi-bin and considering the name we need to look for a script of some sort to see if it is vulnerable to shellshock, common ones include .sh Run a dirb scan in cgi-bin looking for files with the extension .sh to see if we can find any files. ![](https://lh4.googleusercontent.com/vmP19zTKV1jC78_2uaMOv0Gq2cw96wlh_jr8svuI5ika0n0sDrZHtToZvjReWImD272svPXBXb_n0QxHxtXhcYtHi2hjQbJpGH5hwEVro1aJ7kOHtIbTJqiON7bmtN0DKTUu6Og0) User.sh was found.now we need to test it for shellshock. ![](https://lh5.googleusercontent.com/hwr6auADcU6U7D9FDUJ0dXq-fZzg6smWnsZ7gdRnbxxC71Giob9RiYJTBD3Bh4hWJR1STnQKXsLOXX0FtVkT6YY1KoQDmHG7x7gj6-eZQq_6WC-H0eObwjOmrcU3lR6IDUeOCE8m) Copy to local dir and send the command as follows: ![](https://lh6.googleusercontent.com/P5WNMo5BAIfreJ8FaZriEwmS2-PnVd19wTMrRkvWdvfIZxTHkGpJPgPPDICVox4RjhAPmnb_La6nK6oLXqjJ9i2C2UDEZlQBVPfsxKNcfVLfGvlMzi0ItFnkfnd7Q5hYdITs8Se7) Looking for privesc opportunities we see that we can run perl as a root user. ![](https://lh6.googleusercontent.com/x5zHTCoMgvlUznO-DYy9hIvYDvy1TnKu6cwbqV0M2PJLWQS7SYYnNmbyuIzWsxbcayuWk-u6hKvCa5IvuUV6gzu1fhe2gRDJh_8U_kqGAZTzesfWEVNeMmpzHqBaJigW4eBiNYSn) Copy a perl rev shell to current dir and modify as follows ![](https://lh4.googleusercontent.com/5Vu6v49P7ZZq9RtWgL90UIawcbiqfk8JI66Sh87q3D9g9guVjjQs83iR0O5w9xH1hoU-aX7kr9rBmIoYnTfx_UuAddBkiqUiFucpPeyVtKnfg7MpbwJtNzmi2C18CRa4dTvcZepT) Upload to the target and execute while listening on port 445: ![](https://lh3.googleusercontent.com/601yiq8xpLAyIKN1UzQfR-SaA4KkeuwuA219EcfUNKVbjZOOfiiFVYBLWOPCk6CtpJdFxTcRnOEgWu-t_6ciFz-O-DJnADR4B8RqtE8DXamFTpj5Avussbu8DjbREwfWhYMjygZK) Now you should receive a reverse root shell so collect the flag. ![](https://lh4.googleusercontent.com/wYHBAZhqX5Rh01bvobBK8G2QNGCVhzST7dnbpxJWAHDfs2q5g6C8GqucnuWZ1Wx2cD0sMxYRZcpxFlOD1sbpO_djpJFkvtaApvv1XDYSibl4BRuUrOiHfsFVUCUyRhNRQKh233UQ) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/hack-the-box/shocker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.