I haven’t done any Walkthrough for a while. As a result, I will do a walkthrough on 0day room which we will learn a vulnerability such as ShellShock.

Let’s study what is ShellShock before we start play with the machine.

ShellShock is a vulnerability or bug that resides within the Bash command-line interface where it has existed for around 30 years but it been discovered in 2014.

Let’s start!

As usual, we need to deploy the machine in order for us to play with the machine.

Once the machine is fully up within 5 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

From the nmap result, i found out that the following port are open:

  • 22: OpenSSH 6.6.1p1
  • 80: Apache httpd 2.4.7

Let’s check what is stored inside the website.

*Anyways, i added the ip address and redirect to domain url.

We can assume that Ryan might one user will able to access the machine. As I look into the website itself, there’s nothing there except for a profile of Ryan Montogomery and his social media account.

Let’s start enumerate the website by executing the command dirb 0day.thm and hope that we found something useful.

While we are waiting for dirb to be completed, we also can run nikto -h 0day.thm

From nikto output, i found out that /cgi-bin/test.cgi can be exploited via ShellShock vulnerability. The same output will appear in dirb result and i also some backup directory appear on the result.

Let’s do some research on the backup file.

When i try to access the machine via SSH and it’s a rabbithole!

Let’s try the shellshock vulnerability because this room mostly about shellshock bug.

As you can see on the screenshot above, the test.cgi is a valid website which it returns “Hello World!

Honestly, I’m not that familiar with shellshock vulnerabilities but I do make some research and found a website that talks about the shellshock exploit such as below:

Source: exploit-CVE-2014-6271

Let’s just try the following command and see if anything response back to us

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://localhost:8080/cgi-bin/test.cgi

Before we can start the shellshock code, we need to start listening to the reverse shall.

So, let’s run the shellshock command such as below:

We should getting the reverse shell connection back to us

Finally, we are in the server via the reverse shell and we got www-data privileges access within the server.

Now, let’s locate and read the users.txt file that normally stored at /home/<user> where Ryan is the user for this machine.

Once we got the user flag, we need to find suid permission that looks suspicious for us to exploit to gains root access by executing the command find / -user root -perm /4000

Nothing looks weird to me. Let’s try to run linpeas.sh to gains Operating System information or vulnerability

Before we can run the linpeas.sh, we need to transfer the linpeas.sh from our machine to victim’s machine such as below:

In order to execute it, we will give root permission by running chmod +x linpeas.sh. We can run the tools by doing ./linpeas.sh

We got 3.13.0.12-generic as vulnerable Linux kernel on the machine. The easiest way to get that information is by typing uname -a

Let’s get the exploit for the shellshock by doing some research on the website or searchsploit

We have go through on the exploit and we will using 37292.c as our exploit for this activity.

We can compile it by using gcc command such as gcc <filename> -O <new_filename>

Sadly, the compile is a failure and we need to find a way to work around for this.

Let’s cheat using metasploit just for this machine and need to type msfconsole for it to run

Just hands up! I typo LHOST as LHOSTS. If everything is okay, let’s exploit by execute the command “run” or “exploit”

Now, lets try compile it again by using gcc <filename>

No error appear when compile so i can guess that complication is a success.

If the compile is a success, “a.out” file will appear and we can run it by just type ./a.out and we will receive the output just like follows:

Let’s check whoami right now

We got into root access. We can go to /root/ directory to read the root flag

We can read the root flag by typing cat root.txt

-THE END-

Happy Learning Guys!

By Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *