Shocker | HTB Writeup
Start with Nmap scan found 2 open ports.
I checked the website. It’s a normal webpage, didn’t found anything interesting.
So without wasting my time I started checking directory brute-forcing.
I got a directory which is /cgi-bin/.
Basically /cgi-bin/ folder can be exploitable by shellshock vulnerability if I can find any file in /cgi-bin/.
So I started enumerating that directory using FFUF and got a file.
I used Metasploit for exploitation and got the user flag.
Then I checked with sudo -l for listing commands that I can run with root privilege and I can run /usr/bin/perl command.
Using GTFObins, I got how to exploit, and now I am the root user.