⚡Shocker
https://app.hackthebox.com/machines/Shocker
Starting with a NMAP, we see 2 ports open, mainly we see the HTTP web server on port 22.
Let's try to find directories:
index does not seem so important ->
but the other directories are forbidden:
after further enumeration, i found this user.sh:
and when we go on the resource, it DLs the file:
captured the packet where the script was:
found this super website https://www.sevenlayers.com/index.php/125-exploiting-shellshock
on how to exploit this type of environment:
so we got a RCE, let's try to abuse it. First we get a listener going:
after a bit of debug on the reverse shell user agent command:
and the rest is history:
then quick enum for privesc:
Now we see we can run perl as sudo -> let's go see GTFObins
Ez win on this privesc ->
Last updated