Shocker Writeup
Without Metasploit
Reconnaissance
Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80, 2222
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit the website
It is just few words and an image and there is nothing of interest in the source code, so lets use Gobuster to find hidden directories on the webserver.
We only got one directory and we did not have access to it. Well now after thinking for a while, I thought about why the name of the machine is "Shocker", and there was only port for us to enumerate and that is port 80 , a webserver, so I went to google and searched something along of the lines of "Shocker website vulnerabilities" and then I found that there is a vulnerability that "Shellshock" can exploit. Further research told me that this vulnerability affect web servers that used CGI (Command Gateway Interface), a system utilized for generating dynamic web content. When thinking of CGI, we usually see directories like /cgi-bin and /cgi-sys, so I searched up different directories like that.
And it was a not found error, then I was looking at the next tab and thought why don't I add a backslash at the end of the URL and see what it does. To my surprise, it gave me 403 Forbidden Error, which means that the directory is present but we are not allowed to access it. Now I was curios as to if I could add / to every directory I was searching for with Gobuster and would that give me different results like this experiment did. (-f) for adding "/" at the end of every directory search.
We were not allowed to access "icons" , so lets try searching for directories or files in /cgi-bin/ with some common extensions. (-x) for specifying extensions
Looks like we found a file, lets go check what it contains.
When visiting the page, we are given the option of downloading the file.
Exploitation
Now we do not have any other information except this bash script and it also has "Content-Type: text/plain" which is interesting , and what is the number one tool for Web exploitation? Burp Suite, so lets try checking it out on Burp Suite, I capturing the request to the script and sent it Repeater.
Now we know from our Enumeration that this is vulnerable to Shellshock so I went to google and searched it up when I found an article showing us how we could send a reverse shell to the webserver and get a shell on our machine, so I tried that.
We have to use a tool called "curl" , a tool that is used to send web requests to a webserver using our terminal.
And also start a Netcat listener
And when you hit enter on the command, you get a reverse shell, but as a low privilege user
Privilege Escalation
Lets run "sudo -l" to see what we can run as root.
Looks like we can run /usr/bin/perl as root without a password, so now lets go to GTFOBins and find the command to let us privilege escalate to root. And the command is
And we are root!
Last updated