LetsDefend: Shellshock Attack — WriteUp
What is Shellshock attack?
Shellshock is the common name for a coding vulnerability found in the Bash shell user interface that affects Unix-based operating systems, including Linux and Mac OS X, and allows attackers to remotely gain complete control of a system…. for more click here
Now lets get into the challenge , First open the pcap file
Initial Assessment:
→ 3 entities IP {10.246.50.4, 10.246.50.4, 10.246.50.6}
→ 2 ICMP packets, 2 HTTP packets and the rest are SSH packets.
Question 1: What is the server operating system?
First we need to find the Server here,
I noticed there was a HTTP packet (packet no: 15)with 500 Internal Server Error (remember if you saw a internal server error check the response using a proxy, there is a chance it may contain some juicy info like the server name its version, operating system etc.).
So I went to check this packet , guess what?
Found the juicy data ! ( Server IP{10.246.50.6} )
Question 2: What is the application server and version running on the target system?
There was no need to check any other packet, the above packet itself contain the answer for this too.
Question 3: What is the exact command that the attacker wants to run on the target server?
For this we need to know what exactly made the server to throw the 500 Internal Server Error,. (Attacker IP {10.246.50.2})
Lets check this packet no 11
The attacker was accessing a file in server names ‘explitable.cgi’, and very next thing I noticed in the request was User-Agent value was kinda sus and it was the exact command he ran on the server And it was executed completely.
________________________________________________________________________________
Thank You!
