[CSL] Shock

Shock is a linux machine hosted by CyberSecLabs. Start by doing an NMap scan of the machine.

Initial NMap scan

FTP doesn’t allow anonymous login. Moving up to port 80 we can find a website. Running nikto shows us that the website is vulnerable to Shellshock.

Nikto output

Fire up Burpsuite, access the path given by nikto (http://shock.csl/cgi-bin/test.cgi) and intercept the request. Create a nc listener and edit the UA as follows to get a reverse shell:

Modifying the UA

Send the request and check your listener. You should have received the connection.

Receiving the reverse connection

By doing some enumeration you’ll come across socat which can be ran as root.

Checking GTFOBins it seems they have listed a few ways of abusing socat. The one that interests us is the SUDO one. In order to privesc you can run sudo socat stdin exec:/bin/sh to spawn a privileged shell.

Spawning a privileged shell

Hope you enjoyed doing this box and you’ve learned something.