🏠 Home BlogGitHub📚 Buy Me a Book
Edit

🔬Bash

Lab 1

🔬 Shellshock

Enumeration

eth1@if54460  UP  192.173.104.2/24 
# target IP is 192.173.104.3
nmap -sV 192.173.104.3
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
nmap

  • Check the website via a browser:

    • http://192.173.104.3/

  • View Page Source

    • http://192.173.104.3/gettime.cgi

    • gettime.cgi script can be utilized as the attack vector

  • Check if the server is vulnerable to ShellShock

nmap http-shellshock

Manual Exploitation

  • Shellshock exploitable environment

  • To inject special characters into the user-agent HTTP header, BurpSuite can be used.

    • Configure FoxyProxy on Firefox, click on Burp Suite in FoxyProxy and run Burp Suite

    • Inside Proxy menu, turn Intercept On

  • Reload the /gettime.cgi webpage in Firefox and intercept the response in BurpSuite

  • Send the request to the Repeater

  • Replace User-Agent: value with characters:

  • Send the request and check the Response

📌 The target is vulnerable to ShellShock

Reverse Shell

  • Set up a listener

  • Open Burp Suite and change the command to connect to the netcat listener of the Kali VM. The payload will be:

Reverse shell

  • Turn off burpsuite listener and FoxyProxy.

Automatic Exploitation

Metasploit apache_mod_cgi_bash_env_exec
PreviousLinux AttacksNext🔬FTP

Last updated

Was this helpful?