Cool… let’s get started with a portscan and basic gobuster enumeration:
Okay. Let’s have a look at the website:
Hm. Seemingly useless dead end.
I thought I was missing something. No matter how much I try to enumerate, I come up short with nothing:
Then after doing A LOT of research, I found out that cgi-bin stores scripts in other languages such as python, js, bash, php, etc.
Let me try fuzzing that with those specific extensions:
Finally a hit. user.sh
Googling for cgi-bin and sh web exploits, shellshock came up… I looked into it more and knew I had to put a special shellshock string into the User-Agent field to exploit the vulnerability, followed by the command
And we get a callback on our listener:
Note: Usually I’ll have tested the above exploit with a ping first, but at this point I was extremely frustrated and just wanted to go for it.
Grabbing the user flag:
Okay. Now on to priv esc. I always like to do sudo -l as one of the first enumeration commands:
duh. So I can run any perl command as root. This should be pretty obvious but from here, all you need to do is sudo /usr/bin/perl and then either use pentestmonkey’s perl reverse shell one-liner and you’ll get a root shell OR just use perl syntax to switch to the root user. Leaving this open-ended for you to figure out the rest!
hyd3sec's Blog 