Disclaimer:
As by the ToS of HackTheBox, solutions cannot be posted before the machine is retired, so you won’t be able to use this post as your way into the described machine, since it’ll already be out-of-service.
Let’s begin
Shocker was my second machine, also an easy one (by the ratings), but it was tough to get it. Once I was there, it was straighforward getting the flags. It’s IP was 10.10.10.56.
Enumerating
On my machine
The machine has HTTP and SSH running. No users, no SSH for the moment. I checked HTTP.
HTTP server
Accessing http://10.10.10.56 returned the following page.
Page on http://10.10.10.56
It meant nothing and the page source code wasn’t interesting. Nevertheless, I still think that the entry point is via web, so I started DirBuster and kept trying to find something.
DirBuster parameters
DirBuster results
Note 1: Later I noticed that using DirBuster
without changing the default parameters was a mistake.
After some time DirBuster
finished running without results. I went back and changed the wordlist used. I selected one that was way larger and the Time to Finish was a few hours. I left it running without hopes and gave up to not checking out the forum. I saw a few answers saying to think what I was looking for. Of course I didn’t know at the time, so I kept reading. Some answers started pointing to some dir in the form xxx-bin
.
Ok, I should look for something on cgi-bin
, but what? I knew that cgi-bin
contents used to be perl scripts. I took note and kept reading. Some comments refered to the name of the machine and one asked something like:
-Should I keep searching for a working shellshock exploit?
-Yes
Now I know that I should search inside cgi-bin
and the machine has something to do with shellshock
. Let’s return to DirBuster
.
For the sake of conservativeness, I set sh,pl
on the File extension field.
DirBuster parameters used on the successful run
DirBuster successful results
Note 2: Between the first and successful DirBuster runs, it took about 2 hours.
I was sure that it was the entry point. I curl
‘ed 10.10.10.56/cgi-bin/user.sh
and saw this:
On my machine
Let’s find a shellshock
exploit. I asked the internet and it returned this particular page.
So I downloaded it and ran:
On my machine
Finally!
Getting a decent shell
Before going for the flags, I wanted a better shell. And so I got one.
On my machine
On the server
Then I got a shell!
But ….. this shell was echoing every key typed. I needed a better shell.
On my machine
On the server
On my machine
Now the shell was decent. Flags, here I come!
Getting the user
flag (it was boring)
To score the first points, I had to find the user.txt
file, where the flag was. I took the direct approach:
That was very easy. Let’s step up the game.
Getting the root
flag (it was cool)
As my first try, ran the obvious sudo su
but it didn’t work because the user’s password was unknown.
LinEnum
So, there is this awesome enumeration script called LinEnum.sh
(that can be found here). Since the box couldn’t communicate with the outer-world, I had to upload it from my machine and I chose nc
to do that.
On my machine
On the server
The produced report was named shocker-04-02-18
and I downloaded it via nc
(that I’ll suppress).
Upon reading it, I saw that /bin/perl
could be ran as root
. At this point, I noticed that I was very close. I could just write a script to print the root
flag but that would be pretty boring, right? I’d rather get a root
shell just for fun! And so I came up with this simple script:
root.pl
And proceeded to get the desired shell:
On my machine
On the server
And finally I was (g)root
!
Alright, the root
flag …
Wrapping up
It was hard for me to find the entry point, but after that, it was pretty simple. I noticed that sometimes I overcomplicate stuff e.g. I think I could have just set up a perl script with system("bash")
and get root
in the fraction of the time, but I only thought about that hours after. I feel that I lack some enumeration skills and mindset, but that is the purpose of me working on these boxes.
exit(0);