I haven’t done any walkthroughs for a while. As a result, I will do a walkthrough on the 0day room which we will learn a vulnerability such as ShellShock.

Let’s study what is ShellShock before we start playing with the machine.

ShellShock is a vulnerability or bug that resides within the Bash command-line interface where it has existed for around 30 years, but it was discovered in 2014.

Let’s start!

As usual, we need to deploy the machine for us to play with the machine.

Information Gathering on 0day

Once the machine is fully up within 5 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

From the nmap result, i found out that the following port are open:

  • 22: OpenSSH 6.6.1p1
  • 80: Apache httpd 2.4.7

Let’s check what is stored inside the website.

*Anyways, i added the ip address and redirect to domain url.

We can assume that Ryan might one user will able to access the machine. As I look into the website itself, there’s nothing there except for a profile of Ryan Montogomery and his social media account.

Let’s start enumerate the website by executing the command dirb 0day.thm and hope that we found something useful.

While we are waiting for dirb to be completed, we also can run nikto -h 0day.thm

From nikto output, i found out that /cgi-bin/test.cgi can be exploited via ShellShock vulnerability. The same output will appear in dirb result and i also some backup directories appear on the result.

Let’s do some research on the backup file.

When i try to access the machine via SSH and it’s a rabbithole!

Let’s try the shellshock vulnerability because this room is mostly about the shellshock bugs.

Shellshock exploitation

As you can see in the screenshot above, the test.cgi is a valid website that returns “Hello World!

Honestly, I’m not that familiar with shellshock vulnerabilities but I do make some research and found a website that talks about the shellshock exploit such as below:

Source: exploit-CVE-2014-6271

Let’s just try the following command and see if anything responds back to us

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \

Before we can start the shellshock code, we need to start listening to the reverse shell.

So, let’s run the shellshock command as below:

We should be getting the reverse shell connection back to us

Finally, we are in the server via the reverse shell, and we got www-data privileges access within the server.

Now, let’s locate and read the users.txt file that is normally stored at /home/<user> where Ryan is the user for this machine.

Once we got the user flag, we need to find suid permission that looks suspicious for us to exploit to gain root access by executing the command find / -user root -perm /4000

Escalate to Root Privileges Access

Nothing looks weird to me. Let’s try to run linpeas.sh to gain Operating System information or vulnerability

Before we can run the linpeas.sh, we need to transfer the linpeas.sh from our machine to the victim’s machine such as below:

To execute it, we will give root permission by running chmod +x linpeas.sh. We can run the tools by doing ./linpeas.sh

We got as a vulnerable Linux kernel on the machine. The easiest way to get that information is by typing uname -a

Let’s get the exploit for the shellshock by doing some research on the website or searchsploit

We have to go through the exploit, and we will be using 37292.c as our exploit for this activity.

We can compile it by using gcc command such as gcc <filename> -O <new_filename>

Sadly, the compilation is a failure, and we need to find a way to work around this.

Exploiting using Metasploit

Let’s cheat using Metasploit just for this machine and need to type msfconsole for it to run

Just hands up! I typo LHOST as LHOSTS. If everything is okay, let’s exploit by execute the command “run” or “exploit”

Now, let’s try to compile it again by using gcc <filename>

No error appears when compiling so i can guess that complication is a success.

If the compile is a success, “a.out” file will appear and we can run it by just typing ./a.out and we will receive the output just like follows:

Let’s check whoami right now

I managed to access via root access. We can go to /root/ directory to read the root flag

We can read the root flag by typing cat root.txt


Happy Learning Guys!