# Shocker

## Shocker - 10.10.10.56

### Target Enumeration:

OS: Linux

IP: 10.10.10.56

User: 2ec24e11320026d1e70ff3e16695b233

Root: 52c2715605d70c7619030560dc1ca467

### Ports / Services / Software Versions Running

80/tcp   open http    Apache httpd 2.4.18 ((Ubuntu))

2222/tcp open  ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

### Vulnerability Exploited:

Shellshock

### Privilege Escalation:

User can execute perl as root.

### Exploiting the host

Nmap

![](https://lh5.googleusercontent.com/_Y2GTSELrqGQGedfmxtDJWxp3sqZ1fUj9Za-nt8YWoIufCKckqwEpUZvX9Jl5yWUf3aHj2BcgqboRD2f6Rl0S7syCMC7oaHMIQp5z1rzwjZDUVQXkWcgTMu3yd73q-GzWlDxstIg)

Webapp reveals little and nothing hidden in the image.

Dirb revealed only cgi-bin and considering the name we need to look for a script of some sort to see if it is vulnerable to shellshock, common ones include .sh

Run a dirb scan in cgi-bin looking for files with the extension .sh to see if we can find any files.

![](https://lh4.googleusercontent.com/vmP19zTKV1jC78_2uaMOv0Gq2cw96wlh_jr8svuI5ika0n0sDrZHtToZvjReWImD272svPXBXb_n0QxHxtXhcYtHi2hjQbJpGH5hwEVro1aJ7kOHtIbTJqiON7bmtN0DKTUu6Og0)

User.sh was found.now we need to test it for shellshock.

![](https://lh5.googleusercontent.com/hwr6auADcU6U7D9FDUJ0dXq-fZzg6smWnsZ7gdRnbxxC71Giob9RiYJTBD3Bh4hWJR1STnQKXsLOXX0FtVkT6YY1KoQDmHG7x7gj6-eZQq_6WC-H0eObwjOmrcU3lR6IDUeOCE8m)

Copy to local dir and send the command as follows:

![](https://lh6.googleusercontent.com/P5WNMo5BAIfreJ8FaZriEwmS2-PnVd19wTMrRkvWdvfIZxTHkGpJPgPPDICVox4RjhAPmnb_La6nK6oLXqjJ9i2C2UDEZlQBVPfsxKNcfVLfGvlMzi0ItFnkfnd7Q5hYdITs8Se7)

Looking for privesc opportunities we see that we can run perl as a root user.

![](https://lh6.googleusercontent.com/x5zHTCoMgvlUznO-DYy9hIvYDvy1TnKu6cwbqV0M2PJLWQS7SYYnNmbyuIzWsxbcayuWk-u6hKvCa5IvuUV6gzu1fhe2gRDJh_8U_kqGAZTzesfWEVNeMmpzHqBaJigW4eBiNYSn)

Copy a perl rev shell to current dir and modify as follows

![](https://lh4.googleusercontent.com/5Vu6v49P7ZZq9RtWgL90UIawcbiqfk8JI66Sh87q3D9g9guVjjQs83iR0O5w9xH1hoU-aX7kr9rBmIoYnTfx_UuAddBkiqUiFucpPeyVtKnfg7MpbwJtNzmi2C18CRa4dTvcZepT)

Upload to the target and execute while listening on port 445:

![](https://lh3.googleusercontent.com/601yiq8xpLAyIKN1UzQfR-SaA4KkeuwuA219EcfUNKVbjZOOfiiFVYBLWOPCk6CtpJdFxTcRnOEgWu-t_6ciFz-O-DJnADR4B8RqtE8DXamFTpj5Avussbu8DjbREwfWhYMjygZK)

Now you should receive a reverse root shell so collect the flag.

![](https://lh4.googleusercontent.com/wYHBAZhqX5Rh01bvobBK8G2QNGCVhzST7dnbpxJWAHDfs2q5g6C8GqucnuWZ1Wx2cD0sMxYRZcpxFlOD1sbpO_djpJFkvtaApvv1XDYSibl4BRuUrOiHfsFVUCUyRhNRQKh233UQ)