In this particular article, i will walk you through the steps behind exploiting the SickOS challenging machine and how did i get into the file containing the flag and solve the challenge.
First of all, I have performed an nmap scan to see what's available there on the machine.
As you can clearly see, only port 22 and 3128 are opened, and since port 3128 is the squid proxy port number, i will use it in nikto to see what's behind that proxy.
By ignoring all the huge output and focusing only on the shellshock vulnerability part, you see that the /cgi-bin/status appears to be vulnerable to shellshock.
In this walkthrough, i will exploit the shellshock in a different way that i saw in the other walk through that you can find on the net, i will simplify the exploit by using metasploit to gain a root access through the dhclient bash environement variable injection exploit exists within metasploit,
as reported by the metasploit original exploit post at rapid7:
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.
Let's start postgresql:
Then start the Metasploit framework:
Use the exploit exploit/unix/dhcp/bash_environment accordingly with appropriate dhcp options as you can see bellow.
And start the attack by issuing the exploit command
The injection's happened and in a moment we'll get a shell with the root privileges, what remains is simply going ahead and interact with the session, check the shell privileges and then cat the flag file and there you go, you have solved the challenge.
First of all, I have performed an nmap scan to see what's available there on the machine.
As you can clearly see, only port 22 and 3128 are opened, and since port 3128 is the squid proxy port number, i will use it in nikto to see what's behind that proxy.
By ignoring all the huge output and focusing only on the shellshock vulnerability part, you see that the /cgi-bin/status appears to be vulnerable to shellshock.
In this walkthrough, i will exploit the shellshock in a different way that i saw in the other walk through that you can find on the net, i will simplify the exploit by using metasploit to gain a root access through the dhclient bash environement variable injection exploit exists within metasploit,
as reported by the metasploit original exploit post at rapid7:
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.
Let's start postgresql:
Then start the Metasploit framework:
Use the exploit exploit/unix/dhcp/bash_environment accordingly with appropriate dhcp options as you can see bellow.
And start the attack by issuing the exploit command
The injection's happened and in a moment we'll get a shell with the root privileges, what remains is simply going ahead and interact with the session, check the shell privileges and then cat the flag file and there you go, you have solved the challenge.
It's going to be ending of mine day, however before ending I am reading this impressive post to increase my experience. aol mail login
ReplyDeleteI can do it very easy
ReplyDeleteCoffeeLover
ReplyDeleteI want it
ReplyDeleteI want it
ReplyDeleteI want it
ReplyDeleteI want software
ReplyDeleteWhile the act of calculating your monthly obligations won't save any money on its own, we believe creating a clear picture in the money involved in buying a home will help you make good financial decisions, leading to saving cash. canada mortgage calculator Furthermore, hard money loans usually demand a higher interest rate of 10 percent or higher compared to traditional commercial mortgages. mortgage calculator canada
ReplyDeleteWow, What an Excellent post. I really found this to much informative. It is what I was searching for. I would like to suggest you that please keep sharing such type of info.Mobile phone hacker
ReplyDeleteThis is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post.! Best hire a hacker for social media service provider.
ReplyDeleteThis is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post.! Best hire a professional hacker service provider.
ReplyDeleteI'm very impressed with your innovative ideas about Hire A Professional Website Hacker,that are really amazing. You have good knowledge on this topic. Keep sharing your amazing article with us. Thanks for sharing your article.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteAfter a long time, I read a very beautiful and very important article that I enjoyed reading. I have found that this article has many important points, I sincerely thank the admin of this website for sharing it. Best hire a hacker dark web service provider.
ReplyDeleteGreat job for publishing such a nice article. Your article isn’t only useful but it is additionally really informative. Thank you because you have been willing to share information with us. Read more info about Best Certified Ethical Hackers For Hire
ReplyDeleteYou've posted a very informative post here. This article provided me with some useful knowledge. Thank you for sharing that. Keep up the good work. Hire Hacker For Email Password
ReplyDeleteI just wanted to say this is an elegantly composed article as we have seen here. I got some knowledge from your article and also it is a significant article for us. Thanks for sharing an article like this.Hire A Professional Lottery Hacker in Usa
ReplyDeleteHome to 7 million over the age of 21 and groups in each major-league sport, Michigan has rapidly turn out to be one of the high betting states, frequently ending among the high 10 in month-to-month thecasinosource.com deal with. The hope is that the state will go browsing sometime late in 2022, if not early 2023. Iowa started accepting bets on Aug. 15, 2019 and has methodically grown since. BetMGM is engaged on an identical enterprise at State Farm Stadium, residence of the Arizona Cardinals, whereas DraftKings is expected to unveil a betting hub on the Scottsdale golf course that hosts the Waste Management Open. Speed can also be|can be} another necessary consideration, as if you need to|you should|you have to} reload your bankroll in a hurry you may need to positive you|ensure you|be positive to}'re utilizing the quickest cellular banking options attainable.
ReplyDelete