Shock is a linux machine hosted by CyberSecLabs. Start by doing an NMap scan of the machine.

FTP doesn’t allow anonymous login. Moving up to port 80 we can find a website. Running nikto shows us that the website is vulnerable to Shellshock.

Fire up Burpsuite, access the path given by nikto (http://shock.csl/cgi-bin/test.cgi) and intercept the request. Create a nc listener and edit the UA as follows to get a reverse shell:

Send the request and check your listener. You should have received the connection.

By doing some enumeration you’ll come across socat which can be ran as root.

Checking GTFOBins it seems they have listed a few ways of abusing socat. The one that interests us is the SUDO one. In order to privesc you can run sudo socat stdin exec:/bin/sh to spawn a privileged shell.

Hope you enjoyed doing this box and you’ve learned something.