Bash Shellshock Vulnerability Exploitation
DISCLAIMER!
This content is intended solely for educational and ethical purposes. This activity is conducted with permission. All activities related to cybersecurity must comply with available regulations. The author (me) is not responsible for any misuse or illegal activities performed using the knowledge shared here. Any actions taken by the readers using this info are at the reader’s own risk.
Bash Shellshock Vulnerability Exploitation
Shellshock is a family of bugs that exists in the Unix Bash Shell and was first discovered 10 years ago on 2014. It affected Bash shell in all operating systems that is Linux and Unix based. This vulnerability was already patched 10 years ago, but it has a score 9.8 out of 10 vulnerability score, showing its serious impact.
Image source: https://en.wikipedia.org/wiki/Shellshock
Preparation
We need to
know the IP of the target and our system. The IP of my Kali Linux is
10.0.2.15.
Meanwhile,
the target IP is 10.0.2.4.
Exploitation Steps
First, we
will scan the target IP using nmap. Below is the result.
There are
two ports that are open which is port 22 and port 80. Based on the scan result,
the vulnerability is Apache in port 80. Now, we will exploit it. We first
search the CVE code for Bash Shellshock vulnerability. We get the CVE code
which is CVE-2014-6271.
We open the
msfconsole again to use Metasploit.
Then, we
search the CVE code in the Metasploit to see what exploits and auxiliary
scanner that we can use.
For now, I
will try to scan it first using the auxiliary/scanner/http/apache_mod_cgi_bash_env.
We will type use auxiliary/scanner/http/apache_mod_cgi_bash_env.
We then set
the parameters for the scanner, starting from the target IP (RHOST), which is
10.0.2.4.
For the
TARGETURI, we can see it by typing the IP of the target system in the web
browser, then click to view the page source. Then, as I marked with yellow
square below, the path to CGI script seems to be in /cgi-bin/status. We will
try to set the TARGETURI to that path.
The
scanning is successful and we can see the membership of the users. Now, we will
try to exploit the system. Back to the previous search result of the CVE code,
we will use exploit/multi/http/apache_mod_cgi_bash_env_exec.
We will
configure the payload first. We will use shell reverse TCP. The parameter that
we need to set is the LHOST, which is our Kali IP (10.0.2.15).
Next, we
can use exploit/multi/http/apache_mod_cgi_bash_env_exec. We also set the
payload.
We will now
set the TARGETURI of the exploit and also the RHOST. After that, we run it.
Now, we
successfully exploit the target and get into the shell.
Basically,
we are already login as the root based on the result. After everything is done, we
will exit the msfconsole by typing exit.
References:
https://beaglesecurity.com/blog/vulnerability/shellshock-bash-bug.html
Comments
Post a Comment