HackTheBox “Shocker” With & Without Metasploit WriteUp

Abdullah Kareem
5 min readMay 26, 2023

--

HackTheBox Shocker

The Shocker is a machine on Hack The Box that is based on a vulnerability named Shellshock which is found in Bash Shell. This vulnerability can be found on most of the Linux and Unix servers and network devices. The machine is already retired but you can still try to pwn it if you have premium access to HTB. It’s an easy and fun box that is recommended for PEN-200 (OSCP) Students. You’ll learn how to pentest & build a career in cyber security by starting out with beginner-level walkthroughs like this!

Let’s get started!🚀

Enumeration

Let’s use nmap to scan for open ports and services:

nmap
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -p- -T4 -A 10.10.10.56
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 15:00 +03
Nmap scan report for 10.10.10.56
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4f8ade8f80477decf150d630a187e49 (RSA)
| 256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_ 256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=5/6%OT=80%CT=1%CU=42638%PV=Y%DS=2%DC=T%G=Y%TM=64564536
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)SEQ(
OS:SP=108%GCD=1%ISR=108%TI=Z%TS=8)OPS(O1=M53CST11NW6%O2=M53CST11NW6%O3=M53C
OS:NNT11NW6%O4=M53CST11NW6%O5=M53CST11NW6%O6=M53CST11)WIN(W1=7120%W2=7120%W
OS:3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW6%CC=
OS:Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 227.88 ms 10.10.14.1
2 228.07 ms 10.10.10.56

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1006.33 seconds

The Nmap scan showed that both HTTP (80) and SSH (2222) were open. After that, a directory scan was performed using Dirsearch, producing the following results.

Directory busting using Dirsearch

CGI-BIN which is also known as Common Gateway Interface allows web browsers to submit forms and interact with applications on web servers. It is a simple interactive application that can be written in any programming language such as Python and Perl. CGI applications are often called CGI scripts as they tend to be written using languages called scripting languages.

There is a well-known security bug named Shellshock in the security community, that causes Bash shell to execute commands from environment variables unintentionally. In another sense, this will allow the attacker to issue arbitrary codes on the server remotely if the vulnerability is exploited.

Apache web server has a module called mod_cgi which handles the execution of Common Gateway Interface (CGI) scripts. When a browser requests the URL of a specific file contained within the CGI directory, the server runs the script, and the output is passed back to the browser. When CGI scripts are run, specific information is copied to the environment variables. That information will subsequently be passed to Bash if it is called, thus providing a way for an attacker to inject malicious code.

Let’s test the box to see what we have inside the /cgi-bin directory.

Directory busting for cgi-bin directory using Dirsearch

It seems that we found a file named user.sh on the machine that we might be able to access.

And here is the content of the file.

user.sh cgi-bin

After looking into /cgi-bin/, it appears that it could be hit with ShellShock. After a bit of googling, we found out that we can use nmap to test the target as shown in the link below.

Check the link below:

Test for Shellshock vulnerability

Now that we know we have a way in, let’s check Searchsploit to see what options we have available.

Searchsploit shellshock

So I am going with the highlighted option above which is a Python script to exploit this vulnerability.

Let’s copy the exploit and have a look at it.

locating and copying RCE shellshock

Exploitation W/O Metasploit

After having a look at the exploit as shown below, we can see how to use it against our target.

Shellshock

Let’s see what it looks like.

Running the exploit without a specific target

After running the exploit against our target, we have a user privilege shell.

User privilege shell

Now we can navigate to get the user’s flag.

Now we have to find a way to escalate our privileges by first running sudo and seeing what allowed sudo options we have here.

Allowed sudo options

It appears that we can have root privileges with no password from the /usr/bin/perl location. Now we head over to Google to check further.

We search for Perl in the project below to see how can we bypass the binary we have.

https://gtfobins.github.io/

Gtfobins for perl

now we run perl in sudo and we get a root shell.

Perl in sudo

Now we can navigate to get the root’s flag.

Exploitation W/ Metasploit

Now we use Metasploit to get a shell. We search inside Metasploit to look for a suitable module to exploit shellshock.

Metasploit shellshock

we use the module 1 : apache_mod_cgi_bash_env_exec

and put in the options as below:

Shellshock exploit options in MSF

And we fire off Metasploit.

Running MSF

Cheers.

--

--

Abdullah Kareem
Abdullah Kareem

Written by Abdullah Kareem

IT Specialist | Cyber Security Enthusiast | OSWP | eCPPT | CEH | CCNP Enterprise | CCNA | ITILv4