# Shocker
# Enum
- Port 80: Apache/2.4.18
- Port 2222: openssh 7.2p2 ubuntu 4ubuntu2.2 exploit
gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -t 30 -x .php,.sh,.html
we find a user.sh
file at cgi-bin/user.sh
.
Now firing off the script found on [exploit-db] for apache shellshock and adding in the extra path, we get a shell for shelly.
user.txt: 2ec24e11320026d1e70ff3e16695b233
# Privilege escalation
doing a quick sudo -l
let's us see that we can run perl as sudo without password. So we can just simply run perl as sudo and raise privileges.
sudo perl -e 'exec "/bin/bash";'
root.txt: 52c2715605d70c7619030560dc1ca467