The ip address of the retired machine is 10.10.10.56
Ran nmap with below options:
nmap -sC -sV -oA nmap_output
Observe there is an 80 port open, let’s visit the 80 port on the page.
Observe the home web page say a bug and also the machine name is shocker, so I guessed it has to do something with shellshock.
I ran dirbuster and there is cgi-bin, but 403 error.
So ran dirbuster on cgi-bin with below options, such as file extension as sh, because we need to run some command with the script.
Observe the user.sh is 200 response,
Use below shocker.py file present in the below github link:
A tool to find and exploit servers vulnerable to Shellshock - nccgroup/shocker
open a netcat listener on the attacker machine and run the shocker.py for reverse connection.
observe we got shell, let’s see any sudo programs being run.
observe shell user can run perl with sudo permissions, so open shell with perl so that shell will run with room eid.
yaay! and we got root privileges as seen in the above image by running :
Perl to execute bin/bash with -e option.