search
GitHubPsMapExec

Shock

https://www.cyberseclabs.co.uk/labs/info/Shock/

hashtag
Nmap

nmap 172.31.1.3 -p- -A

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:ee:09:94:d5:4b:4a:d9:3b:95:3a:d6:63:e7:98:6f (RSA)
|   256 b9:f8:52:aa:62:02:af:6c:09:ca:dc:3e:7b:b3:94:b7 (ECDSA)
|_  256 53:5d:98:f7:61:e0:57:df:38:96:f9:be:59:77:6c:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Steak House Shock
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

hashtag
FTP

Looking at our Nmap results we can start with a check on anonymous login check with FTP.

We get no feedback regarding anonymous login and will require a manual check.

As anonymous login for this server is not allowed we can check for exploits on vsFTPd 3.0.3 using searchsploit.

I also Google searched and found no current exploits for vsFTPd 3.0.3. We can next take a look at HTTP on port 80 since this is our next best logical attack vector.

hashtag
HTTP

http://172.31.1.3/

I have also started a scan with Nikto on this webpage.

hashtag
Exploitation

Nikto reports a possible exploit on /cgi-bin/test.cgi to the Shellshock exploit. A brief overview of what is is taken from www.netsparker.comarrow-up-right

hashtag
PoC

Searching for HTTP Shellshock PoC's brings us to the following by zalalov on Github.

LogoGitHub - zalalov/CVE-2014-6271: Shellshock POC | CVE-2014-6271 | cgi-bin reverse shellGitHubchevron-right

Download the python script and then set up as per the README:

Start a netcat listener on the attacking machine.

Then call the Python script with the correct arguments for our machine.

After a short amount of time we should get a shell back on our listener.

From here we can perform an upgrade on the shell we currently have.

hashtag
Privilege Escalation

Next I uploaded linpeas.sh in the attempt to look for any easy privilege escalation vectors. I started a Python SimpleHTTPServer on my attacking machine pointing at my Linux enumeration scripts.

I then performed wget on the target file.

Once completed I executed linpeas.sh and waited for it to complete. Once complete we see we have access to socat using sudo.

Looking at socat on GTFObinsarrow-up-right we see we can call bash with root permissions.

We are now root on the target machine.

Last updated