🛤️TryHackMe Rooms
📦HackTheBox
- Linux Boxes
- Windows Boxes
🤖CTF's
- CloudSEK CTFs
- ACM Cyber - UCLA
¯\_(ツ)_/¯
- Interview Topics
🪣BOF - OSCP
📛Active Directory
🛡️Powershell Basics
- Getting Started
  - Functions
😁Others
- API Security
- Cloud Security
Enumeration

Powered by GitBook

On this page

Initial Enumeration
Privilege Escalation

🛤️TryHackMe Rooms

0day

Shellshock Injection via the User Agent - Kernel Exploit for PrivEsc

PreviousGit Happens NextRoad

Last updated 1 year ago

Initial Enumeration

Let's start off with a nmap scan and before that let's add the IP to our host

Let's enumerate the port 80 by finding some hidden directories using dirsearch

The admin - backup - secret - uploads and cgi-bin looks interesting, enumerating the backup gives us a private key but we don't know the user yet so let's keep it aside

Since the cgi-bin is exposing a .cgi file in our dirsearch, let's just try to inject a shellshock payload and to our surpise it returns us with a reverse shell :)

Privilege Escalation

Tried all the basic PrivEsc vetcors to find anything suspicious - but nothing was found
Lastly tried the uname -a command to check for the kernel version and it seemed to be vulnerable to overlayfs kernelsploit
Quickly downloaded the exp from the DB and transferred it to the box and gained r00t :)

NOTE: If the exploit fails, it’s probably your reverse shell, msfvenom and a Metasploit handler could be of help