Shock
https://www.cyberseclabs.co.uk/labs/info/Shock/
Last updated
https://www.cyberseclabs.co.uk/labs/info/Shock/
Last updated
Looking at our Nmap results we can start with a check on anonymous login check with FTP.
We get no feedback regarding anonymous login and will require a manual check.
As anonymous login for this server is not allowed we can check for exploits on vsFTPd 3.0.3 using searchsploit.
I also Google searched and found no current exploits for vsFTPd 3.0.3. We can next take a look at HTTP on port 80 since this is our next best logical attack vector.
I have also started a scan with Nikto on this webpage.
Nikto reports a possible exploit on /cgi-bin/test.cgi to the Shellshock exploit. A brief overview of what is is taken from www.netsparker.com
Searching for HTTP Shellshock PoC's brings us to the following by zalalov on Github.
Download the python script and then set up as per the README:
Start a netcat listener on the attacking machine.
Then call the Python script with the correct arguments for our machine.
After a short amount of time we should get a shell back on our listener.
From here we can perform an upgrade on the shell we currently have.
Next I uploaded linpeas.sh in the attempt to look for any easy privilege escalation vectors. I started a Python SimpleHTTPServer on my attacking machine pointing at my Linux enumeration scripts.
I then performed wget on the target file.
Once completed I executed linpeas.sh and waited for it to complete. Once complete we see we have access to socat using sudo.
Looking at socat on GTFObins we see we can call bash with root permissions.
We are now root on the target machine.
