This is the write-up for room named 0day on TryHackMe.
The room can be found here :- https://tryhackme.com/room/0day
Details given:
Exploit Ubuntu, like a Turtle in a Hurricane. Root my secure Website, take a step into the history of hacking.
What is required?:
user.txt and root.txt
Enumeration
NMAP:
As always lets start scanning the target with the IP given:
nmap -sC -sV 10.10.119.34
We have port 22-SSH and port 80-Web open with the above versions. Let enumerate further port 80 using Nikto.
NIKTO:
nikto -h 10.10.119.34
The above nikto scan reveals that this box is vulnerable to Shellshock. This is a very famous bug in bash and according to Wikipedia(https://en.wikipedia.org/wiki/Shellshock_(software_bug)):
Shellshock, also known as Bashdoor,is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. Nikto scan also revealed few interesting web directories like /admin,/backup and /secret. Lets keep that in mind and if required we can come back to these directories later for further enumeration.
We can use cURL and try to enumerate further and test if we are actually vulnerable to Shellshock.
SHELLSHOCK:
curl http://10.10.119.34/cgi-bin/test.cgi -H “Referer: () { test;}; echo ‘Content-Type: text/plain’; echo; echo; /usr/bin/id; exit”