As always, I started with nmap to enumerate what opened ports and to see what information I can take advnatage of.
Since it’s less likely I can take advantage of that open ssh server, I turned my attention and navigated to the open port 80, which is this simple website with Don't Bug Me! text and an image of animated bug swinging a hammer.
I knew I had to go for directory busting on the target ip address. However, no matter how many times I tried, the gobuster returned only server-status which is not what I looked for. I found this very strange so I researched and learned the follwoing:
Typically, most webservers will hand a request to a directory without a trailing slash by sending a redirect to the same path but with the trailing slash. Tools like dirsearch and dirbuster actually take the input wordlists and loop over each entry sending two requests, with and without the trailing slash. This is really helpful in a case like this but will double the amount of reqeusts sent and time.
With gobuster, you have -f option to force adding the trailing slash to the end of directories.
Now with the -f option added, we found cgi-bin and icons directories.
Ran another gobuster to find files under the /cgi-bin/ directory. This time, I used -x option to search for files with particular file extensions. Then I found user.sh
user.sh contained nothing interesting but an uptime script.
Found this exploit on exploitdb that describes a RCE vulnerability in Bash when invoked through Apache CGI
I copy-pasted the exploit code on vim
The writer of this exploit kindly specified how to use the exploit.
This error indicates that the original script is written in python2, but I’m running it with python3, where print statements require parentheses.
So I’m going to run this with prefix python2
Got the reverse shell!
And I’m logged in as the user named shelly
found the user flag
I ran the sudo -l command to see what command I (the user named shelly) am permitted to run with sudo privileges.
It appears we can run /usr/bin/perl command as root with no password required.
I got the root shell using the following command!
sudo /usr/bin/perl -e 'exec "/bin/sh";'
