Hi all, let’s pwn this box.
You can find the machine there > Sumo
Let’s start as always with a nmap scan.
1 |
|
Let’s enumerate http
, i always run gobuster/dirb.
1 |
|
Fucking weird, always hate when that happens haha, but cgi-bin
was scratching my mind seems like an exploitation vector for shellshock! Let’s run nikto
.
1 |
|
Bingo! Let’s exploit it manually. w/ 2 words, shellshock is a code injection attack on bash 4.3 and earlier. We can exploit with msf, or with another tool, but i’ll go the manual way.
1 |
|
Great, let’s spawn a shell.
1 |
|
We have a shell!
1 |
|
After lot of enumeration i found nothing, so i tried to search for kernel exploits. Let’s check the kernel version.
1 |
|
Let’s search for an exploit.
1 |
|
First one seems interesting, let’s test it out. I had troubles compile it but i found the solution, if you cant compile it do this :
www-data@ubuntu:/tmp$ export PATH=$PATH:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
ld
PATH was missing.
Let’s compile & run it now.
1 |
|
Let’s read the flag.
1 |
|
Easy one, See you!