SHOCKER
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Shocker, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Shocker's IP is 10.10.10.56:
- Scanning with Nmap:
- Scanning deeper ports 80 and 2222:
- Connecting with the browser:
- Dirbusting the web server we find a /cgi-bin folder:
- Dirbusting specifically /cgi-bi for extensions .php, .txt and .sh:
- Downloading user.sh:
3 - EXPLOITATION
- The vulnerability CVE-2014-6271 explains how to exploit the mod_cgi and mod_cgid modules in the Apache HTTP Server:
- We will follow to ways to exploit the vulnerable machine Shocker:
3.1 - Python exploit
- This Python exploit provides a remote shell, just setting up some parameters as explained at the instructions:
https://www.exploit-db.com/exploits/34900
- Copying the exploit locally and giving execution permissions:
- Providing these parameters and running the exploit:
- payload=reverse
- RHOST=10.10.10.56
- LHOST=10.10.14.22
- LPORT=4321
- pages=/cgi-bin/user.sh
3.2 - Metasploit
- There is a Metasploit module associated with this vulnerability (also known as Shellshock):
- Launching Metasploit and using this module it is easy to get a Meterpreter session:
- Spawning a shell:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- We are lucky because current user shelly has very powerful sudoer privileges:
- Now user shelly is able to run a Perl script (as root) that yields a root shell:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
