In this particular article, i will walk you through the steps behind exploiting the SickOS challenging machine and how did i get into the file containing the flag and solve the challenge.
First of all, I have performed an nmap scan to see what's available there on the machine.
As you can clearly see, only port 22 and 3128 are opened, and since port 3128 is the squid proxy port number, i will use it in nikto to see what's behind that proxy.
By ignoring all the huge output and focusing only on the shellshock vulnerability part, you see that the /cgi-bin/status appears to be vulnerable to shellshock.
In this walkthrough, i will exploit the shellshock in a different way that i saw in the other walk through that you can find on the net, i will simplify the exploit by using metasploit to gain a root access through the dhclient bash environement variable injection exploit exists within metasploit,
as reported by the metasploit original exploit post at rapid7:
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.
Let's start postgresql:
Then start the Metasploit framework:
Use the exploit exploit/unix/dhcp/bash_environment accordingly with appropriate dhcp options as you can see bellow.
And start the attack by issuing the exploit command
The injection's happened and in a moment we'll get a shell with the root privileges, what remains is simply going ahead and interact with the session, check the shell privileges and then cat the flag file and there you go, you have solved the challenge.
First of all, I have performed an nmap scan to see what's available there on the machine.
As you can clearly see, only port 22 and 3128 are opened, and since port 3128 is the squid proxy port number, i will use it in nikto to see what's behind that proxy.
By ignoring all the huge output and focusing only on the shellshock vulnerability part, you see that the /cgi-bin/status appears to be vulnerable to shellshock.
In this walkthrough, i will exploit the shellshock in a different way that i saw in the other walk through that you can find on the net, i will simplify the exploit by using metasploit to gain a root access through the dhclient bash environement variable injection exploit exists within metasploit,
as reported by the metasploit original exploit post at rapid7:
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.
Let's start postgresql:
Then start the Metasploit framework:
Use the exploit exploit/unix/dhcp/bash_environment accordingly with appropriate dhcp options as you can see bellow.
And start the attack by issuing the exploit command
The injection's happened and in a moment we'll get a shell with the root privileges, what remains is simply going ahead and interact with the session, check the shell privileges and then cat the flag file and there you go, you have solved the challenge.
