Hack The Box — Shocker Writeup w/o Metasploit

Rana Khalil
6 min readOct 14, 2019

This is the 7th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJnull can be found here.

Let’s get started!


First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.

nmap -sC -sV -O -oA htb/shocker/nmap/initial
  • -sC: run default nmap scripts
  • -sV: detect service version
  • -O: detect OS
  • -oA: output all formats and store in file nmap/initial

We get back the following result showing that two ports are open:

  • Port 80: running Apache httpd 2.4.18
  • Port 2222: running OpenSSH 7.2p2

Before we start investigating these ports, let’s run more comprehensive nmap scans in the background to make sure we cover all bases.

Let’s run an nmap scan that covers all ports.

nmap -sC -sV -O -p- -oA htb/shocker/nmap/full

We get back the following result. No other ports are open.

Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.

nmap -sU -O -p- -oA htb/shocker/nmap/udp

I managed to root the box and write this blog, while this UDP scan still did not terminate. So for this blog, I don’t have the UDP scan results.


Let’s enumerate more on the open ports.

SearchSploit does not generate any useful exploits that we can use.

searchsploit --id httpd
searchsploit --id openssh 7.2p2