0day

Shellshock Injection via the User Agent - Kernel Exploit for PrivEsc

Initial Enumeration

  • Let's start off with a nmap scan and before that let's add the IP to our host

  • Let's enumerate the port 80 by finding some hidden directories using dirsearch

  • The admin - backup - secret - uploads and cgi-bin looks interesting, enumerating the backup gives us a private key but we don't know the user yet so let's keep it aside

  • Since the cgi-bin is exposing a .cgi file in our dirsearch, let's just try to inject a shellshock payload and to our surpise it returns us with a reverse shell :)

Privilege Escalation

  • Tried all the basic PrivEsc vetcors to find anything suspicious - but nothing was found

  • Lastly tried the uname -a command to check for the kernel version and it seemed to be vulnerable to overlayfs kernelsploit

  • Quickly downloaded the exp from the DB and transferred it to the box and gained r00t :)

NOTE: If the exploit fails, it’s probably your reverse shell, msfvenom and a Metasploit handler could be of help

PreviousGit HappensNextRoad

Last updated