SHOCKER
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX4nxu0QVWoavxM9Kz7tSsQKQZIBc5_dV7UkMbOTnXi5eK-AbzezVLqMBEIeHbx5BxPcXnSigIszS-ffzj1NZ8BOGvdtn0TfL2FQbrqyAzqRXg5HOf9qWXPsLWmIDH7CSAZ8QYCyNc9RLR/s1600/screenshot.20.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Shocker, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Shocker's IP is 10.10.10.56:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvLNKqaMQRGsa0FMHsp6k2YUAH0UO-PXoPZN4NG2zlLDTDVNX4V9UBt4B7XG_HLVlFrG3xMrBnKtmaU_4qNi7W9SVAvf1aFP8ysr7D7cYi7mAp_q6QJNpC5H57wpXmY5BpQDXpv68MO2zy/s400/screenshot.2.jpg)
- Scanning with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj6HGV_4VHq4LxulwPOaX19U1L0RhNQvwpysB4kiLo4rTmmGTY5WHEajouXbOv1UEHsIyoubzjvoXmnqgKvgT_C7Ww4hJ-85j8oWh56giCAKOXJ8TAp0UGhAkzjzRXTeSbkjw1SLbcMDPF/s1600/screenshot.3.jpg)
- Scanning deeper ports 80 and 2222:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6y2S22TAl96uMSTk-Sjsbw2VHk1uBo6kjjfInqCr1UsVLk0vnUf1r8oEcpPA6kLUJ9t3x4kIw-2SevJ21mic3fooNBp_zF-FQUTBT5PTb3lsJrjoK9InGgfY39VUk0QMQT7rLYPlQt4f3/s1600/screenshot.4.jpg)
- Connecting with the browser:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2o3_mRCEWEDb0a2gfxyqDBBzi3ZYRD15ILclmg7rmlCBSeG5E1mh9zYofpxGZQsBBYl2ZddwCY3G086YYIwjetSJjFEfuYMymQcpwFDxOCdY-AwnY8930wYp2qUkmX7ugZp3rx-yIFmCt/s1600/screenshot.5.jpg)
- Dirbusting the web server we find a /cgi-bin folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilPwHMh4rmj8p6QndhCjiffkD5hN7pXm34hJ16ahHCPOfmgGa-PW-Yhz5Rpfs6QVYsvEMkBxNZZapQO9WCNozE8740NMiZqyLYLFMBtu6mDSOR4HRjsXQ9mQP7j4K7M6bfpLAy239QxXle/s1600/screenshot.53.jpg)
- Dirbusting specifically /cgi-bi for extensions .php, .txt and .sh:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYjt4pk6_vkYQZcUfbUp63XlFGYLwoiY-oE-3GNtUOahDIEs2R8vNRgN8pMi4jiWXT3UdpouD8eMPGY9uvhAkHJUwrY4VAe6MyXGFjzkL11RR-TRY_-J3BCKHn6VFPjF-S12wLhcfWg1Vy/s1600/screenshot.19.jpg)
- Downloading user.sh:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8819Iqo58eyzL7BmolTIUuBkTdbKFLDP-nP-q_91nrnNlb5O-gtCRVJMnii0UeJmqoJDT-Fz_OM8lfBZ5ujiWiSdaNlgtpb60q8tWamZnVrx7C3Fn8dmo9HF-A9-nk6kPA1R3Qo0B-pF5/s1600/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9X-s6U-Qhs-YyI8sQVPOCQ0DR4i5uen68-yXl-TIf07xXmvbAeSEwJOLdt42CF6B68g_th0RMqcbNJV_wabQgW1G4RQXgnfY6TE_fyAbcP_qmdP1RGEt23JBj7GGaGloWe4h1xBvVF6KR/s1600/screenshot.7.jpg)
3 - EXPLOITATION
- The vulnerability CVE-2014-6271 explains how to exploit the mod_cgi and mod_cgid modules in the Apache HTTP Server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj9mYD97-feq7LVzSOmx0LfckpOblf8Cg9U9UcPQ4i-v6hCK3s6PIfR4vhIwCpIB4SrEpFEuqtg8mIzD5CReZeLPAQTNumN-O7iHuw68ySeZ96OtMkXN-5utVcKzYeEaEXXnQygul4bhSJ/s1600/screenshot.55.jpg)
- We will follow to ways to exploit the vulnerable machine Shocker:
3.1 - Python exploit
- This Python exploit provides a remote shell, just setting up some parameters as explained at the instructions:
https://www.exploit-db.com/exploits/34900
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguy7Kw5lgOawE_BeP0vuWYyM3UJTnPOvnOL6MNOeRrAUki9AbwhLNb0M9ymPccAnpbMTm2W2SGYiBSuTagbz8emLaONvs7zXRyvahqoTFOKBUK2aPxX9nFIE7mYkuJQWytb7FKve3EXE4A/s1600/screenshot.1.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTZL4czKTg4p7BcbPUMUwoU0reBqQCIduy-BeFqBM4T3ZguqDXZU4s9jy_KbO9c-C2NBfyonVmN0xTppryoYUEsfE8bC3m7H2bbQhkhMTvyQaQ8yLzAjRgJjyLNMZDueikkzlBg4xNvFLE/s1600/screenshot.2.jpg)
- Copying the exploit locally and giving execution permissions:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKOYdLjM7mCmh-zx9GRmUiTG3eiB1qAbC_AXx14yRCQzEsmoBrR4cTkjVIMtrYnl9UX8rNlWxlzy9qoelfT7EeI9Hv3BBuXSVq8flGuY7SRb6tNcEgWWpPMJ6v3elJTIE2bW75D8G1ea_z/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig1g80YcDG9RED-vnbXITlSNTGQmP8Cbx2y90gxs01b-oOBYCzPZ-MFMyZlDPWnyFyn9l6QIzj5pW6E8j0R2qErnqhWi2u4zWKD_Jwum_ZYPo_Z0QvAhATakMx6TsowfnTCbXl2phqaNEB/s1600/screenshot.4.jpg)
- Providing these parameters and running the exploit:
- payload=reverse
- RHOST=10.10.10.56
- LHOST=10.10.14.22
- LPORT=4321
- pages=/cgi-bin/user.sh
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgl_KG8cnleHA59O8mEV1V95nSNZ_v-KenplVq7dWpL4hnxOkvLbB04cymlHU41L7UkbmB-C9cqcnyZj7PkIT0tVnY3M4zFpjGBH0uGWFiVVpiIdLintBMy_TmTDkgWO_55upLEAGcEmPf/s400/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhImr7hqHUwdnuWo_SeffiYcx4jTrycbYV7mj-PPecZ3M6kFtYts68QPJPMdb-M14ImrCvyI6aXENd39RQaRTqglVqrU4s7S2uHqxFewf0ILCW9fCUxVZrRUBLbNgiGMTaD8VzjAHzuQlMr/s400/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCC8vSbjX708wwLgLp_Ri2EE4gmxq6wmhaz2klzWATOTrNT6VxxhzS6G_KpdRJzEk_hPb5Dapur0cAZ0lrnyPHSe4X2UcpjkUJ2VIPHSgpDHcJIKYya9TkIYpXGKouNrnLW80DtaDy8jlQ/s1600/screenshot.6.jpg)
3.2 - Metasploit
- There is a Metasploit module associated with this vulnerability (also known as Shellshock):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs_xAtTe4dvfNUIoVZKbipxlm_UAbaLyWGNP_WT1ROQZh8gafIq_ZEc3anowV3NUkHL6R2MfuS_lr6JVTU-CAImAXetI7KGKJUiWAMJ3nZEpRiwNphO80-7nIeZV4kNSy9pYG2oJL3WDu2/s1600/screenshot.54.jpg)
- Launching Metasploit and using this module it is easy to get a Meterpreter session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2J-HX8upJ0QnoRqFDhkHiZcqgFRMgLyPm9Ja_WMv28zbgwx2-2ZNJfpWvWf9bPZEtQgVL2gDqcJedcRSOixZIzKFPLPogZ_medGrTpLcygOBM9OCL6Ghh_Hvv9_ul3OMPqcznlP9TwkRb/s1600/screenshot.9.jpg)
- Spawning a shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE8wyG0qzLGewufzaARoT1Y9c1QT8lXCFHIXkmkh0ZQX2E8n48pRttaOZ1j0xW3BZRghAyBPyQmLHZCwqqEHdqe8RYPYvb3N_2ahjoKZvImfC8fE2u9Ck8jqbvUXy7C10xFizAkWFQhoit/s1600/screenshot.10.jpg)
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNNkCAX1ml7cofhf1cmp6IZY9buKTb19K-XbPw1jQJEsMb2Qdm2PdNbgqOmE77O7miJDDYQouEge1gWutzfy7BO6XvhoBd89PQXXfqpgHdNUChPSePBccfenjOsceHM827APgpQhfgMQ1q/s320/screenshot.11.jpg)
5 - PRIVILEGE ESCALATION
- We are lucky because current user shelly has very powerful sudoer privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJqe3ES52eV8YC50TtsvQJYwv1CUYeGG4BR7cTQ4Ph4oquISMla6nxEozVy8km-vVYQVj0T5XXhF9-vrwMnUKHABDKhhSRGByGR-ovp9Kx6ShdLGVJd3R91WbYZnWuXMg7gsHFD9Dhvigs/s400/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSR6XBc7J2_oMRqFXPkq8MfLMTaryDqiLc9NKUJ9L9Ot_rMf6lgNQnhRiGPficpd3PlONKfeoLZ7GRMmRT_nDyWk84pJlihxIO1ipQv8lv4F1heCOy4IQCAYAUQj89uWkZ7JkzLc7zvjUx/s1600/screenshot.13.jpg)
- Now user shelly is able to run a Perl script (as root) that yields a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ2VrQueqPxxlI6qaL4cwrAgeLLhwvF0j0c0CGXNWKeIUp3J7DxxXHrUhsj8VrkLrsdAQgSy69X_oK_sNJG9zbcAtTHUDVjWcxvOdbQPSwtLaoeN_2cZjLyZL-tY-7pe9AkEWwPFCzUitk/s1600/screenshot.15.jpg)
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaUNRnzlJJYHRy9sYBH-dOYHPQcyhZrxXNWcdmY6p7_VwCflLwOqoHNSOVmAhVowi6D44ttiTHjqP03l9AquPksNt_55WyuxHSMBrnqRctEbVj6gZVKDvnbdqhMmKXu_nHE5lwSH-A6lUz/s1600/screenshot.16.jpg)