Shocker
OS: Linux
IP: 10.10.10.56
User: 2ec24e11320026d1e70ff3e16695b233
Root: 52c2715605d70c7619030560dc1ca467
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Shellshock
User can execute perl as root.
Nmap
Webapp reveals little and nothing hidden in the image.
Dirb revealed only cgi-bin and considering the name we need to look for a script of some sort to see if it is vulnerable to shellshock, common ones include .sh
Run a dirb scan in cgi-bin looking for files with the extension .sh to see if we can find any files.
User.sh was found.now we need to test it for shellshock.
Copy to local dir and send the command as follows:
Looking for privesc opportunities we see that we can run perl as a root user.
Copy a perl rev shell to current dir and modify as follows
Upload to the target and execute while listening on port 445:
Now you should receive a reverse root shell so collect the flag.
