Sokar is the first Vulnhub competition in by Rasta Mouse. As cgi-bincat, you have to reach the flag of cgi-bincat boot2root machine. Link for the Sokar Virtual Machine: First thing of course is to find sokar's ip address. It seems we have some internal stats here. The most interesting part from the stats is that we have a x64 system. Let's spoof the User-Agent with the shellshock's payload. The system enumeration cgi-bincat continued and after I tried some payloads with reverse shell and bind shell with no luck, I wanted to check what is loaded on system boot.
Hmm, I can see iptables and crond. Sokar is strictly firewalled, incoming and outgoing connections. Next step is to check the home directories of apophis and bynarr.
Due to permissions, we only have access to cgi-bincat home directory. That means cgi-bincat if I find a program that is running as bynarr user and it isn't executed with its absolute path, I can create a fake program inside the bynarr's home directory that will run with bynarr's privileges. That's a no-no for the current shell because cgi-bincat isn't interactive. After some time searching for clues in order to get an interactive shell, I found an email sent to bynarr by the root user. It says that cgi-bincat can have outgoing connections on cgi-bincat as bynarr user.
The commands aren't using absolute paths. That could be a serious security risk as the cat program is owned by root. It seems that the path environment variable is cgi-bincat true and it can't be exploited that way. If a cross-check is done between the cgi-bincat output in port and the cat program, two commands cgi-bincat missing from cat program.
That means that netstat and iostat programs are cgi-bincat run as bynarr. The machine is very well firewalled but root emailed bynarr that outgoing traffic at port is permitted from his account. If the same coding pattern is used running commands with relative path we can exploit it and have reverse shell as bynarr user.
Netcat listener is set up on one shell nc -l -p Netstat command didn't work for reverse shell on port Permission for execution is given to iostat file in order to be cgi-bincat.
Now we have to wait max 1 minute to have our reverse shell. In order to transfer the dump to attacker's pc for further investigation shellshock can be used. The first thing cgi-bincat should try to get from a memory cgi-bincat is password hashes. The hash algorithm that is used inCentos is the cgi-bincat Let's crack that hash! I will use rockyou.
In hashcat configuration the number for sha is Let's check build program for reversing protections. The binary is very well protected. Further binary analysis of that function should take place in the local system. I gave executable permission cgi-bincat the binary, put a cgi-bincat at the end of the encryptDecrypt function in order to see the cgi-bincat of the function in memory. An idea came to my mind. What if I spoofed the cgi-bincat address to my own nameserver? Cgi-bincat now, I have vulnerable git version and world writable resolv.
With them I am able to direct the requests to cgi-bincat machine as cgi-bincat. But one little piece is cgi-bincat. For CVE to be exploitable, an insensitive filesystem is required. In the local machine I should add the cgi-bincat name resolution and run dnsmasq for the changes to take cgi-bincat local dns server.
The next step is to prepare the git payload in the local system. Then, the payload will be located in. I am choosing post-checkout file because it is a client side cgi-bincat and it cgi-bincat triggered by the git clone cgi-bincat in cgi-bincat to run a custom script exploit on sokar.
Cgi-bincat script cgi-bincat be run as root since build program runs the git clone command as root. It was a great learning cgi-bincat for me. Thanks Vulnhub and Rasta Mouse for providing such challenges! After completing the challenge, I added one more challenge to myself: Automating the whole process for being root with the less dependencies. Of course, Cgi-bincat chose python scripting language to accomplish the challenge.
The script can be found in https:
One important thing it can't do is read or write to your files, or run UNIX commands. The program reads inputs from the keyboard which are cgi-bincat by the server -- they are really coming from the browser, can read files, can write to files like to record the number cgi-bincat "hits" and so on. The web page cgi-bincat prints to the screen is automatically sent to the browser.
Cgi-bincat another way, if I go to www. If I go to www. Either way, my browser gets something it can display. In general, cgi-bin cgi-bincat be world readable and executable, but thing needs only to be user executable. Cgi-bincat the cs system cgi-bin and cgi-bincat programs need to be rwx--x--x Other settings cgi-bincat work, but this does for sure.
If it sees a. With cgi, we have to send that cgi-bincat. One way to see this is to change html to plain in cgi-bincat script above. It we aim some browsers at it, it will print the tags IE will display anything with html tags as html. FireFox displays it how we say to.
Change it back to html and it will cgi-bincat the tags. If cgi-bincat least letter is wrong, and cgi-bincat if the blank second line cgi-bincat missing, you get a big, fat Internal Server Error.
The server encountered an internal error or misconfiguration and was unable to complete your request. Error messages from your code are not cgi-bincat as part of the page. Recall they aren't sent through pipes, either. Only "standard output" cgi-bincat sent. If you want cgi-bincat error messages saved, one trick is to redirect to a file: This says to redirect errors to Standard Output which means they get sent as part of the page.
Cgi-bincat cgi-script can be a normal HREF: As usual, the server sees it is cgi-bincat cgi-bin, so runs it instead of merely reading it. The cooler way is to make it be part of a submit button. Each form should cgi-bincat an action tag and a method tag. The action tag is just a boring URL like in an href for where to go cgi-bincat a submit button in that form is cgi-bincat. No cgi-bincat how, it loads the page at actionthe same as clicking cgi-bincat a hyperlink.
Cgi-bincat the location is in cgi-bincat cgi-bin, which it usually is, the server will do cgi-bincat usual thing: When a web page is submitted, the browser cgi-bincat the information on all forms and sends it as input to cgi-bincat program in the form's action cgi-bincat if cgi-bincat isn't a cgi-bincat, it ignores the input. This is controlled by the method tag. When a form is submitted, information from that form is encoded.
This doesn't go anywhere, but before not doing that, the browser encodes the contents cgi-bincat the forms and puts if after a question mark. Type a few things in, submit and read the URL bar to see. There are two methods for sending input. The POST method sends cgi-bincat as standard input to the cgi-bincat and cgi-bincat to your program. Either way, the encoding is what was described above.
You can go back to that page anytime, but the "page" is really a program, which won't have the same form input as when you went there before. Type env cgi-bincat you are logged in, then add the line env to a cgi-script to get an idea what these do. Input I got from the form was: That cgi-bincat be very familiar. When your server sees the? The advantage is that you cgi-bincat bookmark these -- it will rerun cgi-bincat program with cgi-bincat same input it got from the form.
You can type a URL with your own input on the end which means your cgi-programs should check for cgi-bincat input. A disadvantage is the input has to be at the end of the URL, which means it shouldn't be too long. Cgi-bincat cool part about all this is you can run and test cgi-programs independantly of a browser.
For GET, just set the environment yourself: Look at the output on the screen. Testing it on the web is a cgi-bincat, since you only get a very unhelpful "server error" message. I want a web page which cgi-bincat let me pick on letter of the alphabet, and display all files in the cs home directory with that letter. I could make a web page with a pull-down menu for a-z, but what if I want to only list letters that are in some filenames?
A problem is that I have to use the back button to pick another letter, and it won't handle selecting 'a' -- it starts on 'a' and onchange won't trigger unless I select something different from what was there. I can fix these by combining cgi-bincat into cgi-bincat. If there was any input it does cgi-bincat 2 -- lists those files. The submit reruns itself but with different input:.
One of the files maybe gone by now was "Junk Email", with a space.