# SHOCKER ## RECON Carlos: `nmap -p- --open -sS --min-rate 5000 -Pn -n -vvv 10.10.10.56 -oG ports.gp` `nmap -p80,2222 -sV --min-rate 5000 -sC -Pn -n -vvv 10.10.10.56 -oN scan.txt` `whatweb http://10.10.10.56` `nikto -h http://10.10.10.56` `dirb http://10.10.10.56` --> cgi-bin/user.sh marc: *port 80* ``` whatweb http://10.10.10.56/ > http://10.10.10.56/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.56] ``` ``` ❯ ffuf -u http://10.10.10.56/cgi-bin/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -c -e '.cgi,.sh' -fs 294 -maxtime-job 60 -recursion -recursion-depth 3 ``` ## EXPLOTACION Carlos: https://www.sevenlayers.com/index.php/125-exploiting-shellshock marc: https://github.com/opsxcq/exploit-CVE-2014-6271 ## POSTEXPLOTACION Carlos: https://gtfobins.github.io/gtfobins/perl/