InfoSec LAB

Shocker_Web

Created: 3 min read

Web

Nmap discovered a web server running on the target port 80 The service running is Apache httpd 2.4.18

Webroot

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/shocker]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.56/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
.htpasswd               [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 102ms]
.htaccess               [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 102ms]
cgi-bin/                [Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 93ms]
server-status           [Status: 403, Size: 299, Words: 22, Lines: 12, Duration: 94ms]
:: Progress: [20476/20476] :: Job [1/1] :: 431 req/sec :: Duration: [0:02:55] :: Errors: 240 ::

While the web server response was extremely slow, ffuf found a directory; /cgi-bin/

The /cgi-bin/ directory is a commonly used directory in web servers that stands for “Common Gateway Interface - Binary.” It is a special directory used for running executable scripts or programs on a web server, which can generate dynamic content for a website.

Scripts and programs in the /cgi-bin/ directory are typically written in languages such as Perl, Python, or Bash, although other languages can also be used. They can be used to perform a variety of tasks, such as processing form data, generating dynamic web pages, or performing server-side operations like database queries or file manipulation.

/cgi-bin/

403 on the /cgi-bin/ directory as usual

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/shocker]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/cgi-bin/FUZZ -ic -e .sh,.py,.pl
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.56/cgi-bin/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .sh .py .pl 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
user.sh                 [Status: 200, Size: 119, Words: 19, Lines: 8, Duration: 98ms]
:: Progress: [81904/81904] :: Job [1/1] :: 427 req/sec :: Duration: [0:07:28] :: Errors: 480 ::

Fuzzing the /cgi-bin/ directory for scripts with extensions like .sh, .py, and .pl finds a single file; /cgi-bin/user.sh

Again, it took much longer as there appears to be something wrong with how the web server is configured or my VPN. I’d lose my connection several time that I had to reset the VPN profile

/cgi-bin/user.sh

Navigating to the /cgi-bin/user.sh file, I can see the output of the bash script It seems to be using the uptime command

given the fact that it is running the bash script, i can test for the shellshock vulnerability; [[Shocker_CVE-2014-6271#CVE-2014-6271|CVE-2014-6271]]

Vulnerability

I sent out the testing payload, () { :;};, in the User-Agent attribute, and the result confirms the code execution The target application is vulnerable to the [[Shocker_CVE-2014-6271#CVE-2014-6271|shellshock]] vulnerability

Interactive Graph View

Backlinks