Hi All
I read 2 post about this machine to get initial foothold but so far I have tried dirb/dirsearch and wfuzz but seems like only one directory i found which is common in web cgi-bin. I tried to search additional files with extension as people are talking about but I couldn’t find anything. As per the machine name Shocker I know the machine is vulnerable to RCE but seems like i am missing a piece of information. Is there anyone who can nudge me in right direction?
Thanks
You are in the right direction. It’s not really important which software are you using. Think about which extension is useful.
Same boat. I’ve run dirtb’s big.txt with three obviously useful extensions for a cgi directory and have come up dry. I also, in a last ditch effort, ran wfuzz on cgi-bin/ with dirb’s big.txt wordlist as the file base, and dirb’s extensions_common.txt to iterate through he possible extensions with the addition of pm extension, to no avail. Outside of the three, maybe 4 obvious extensions, i haven’t found anything useful. I did find one ‘script’, but it just says “Just an uptime test script” as output; it doesn’t actually appear to be a script.
@kophjager263 You’re on the right track! Research what CGI scripts actually are and what they’re vulnerable to
@Simsor i’m assuming this has something to do with the base file name not being in my wordlist. I’m familiar with CGI and have enumerated all possible extensions along with basically every other type of extension (if you’re familiar with extensions_common.txt from dirb… it’s got quite a few…). At this point i’m assuming the actual vulnerable component is probably some iteration of the vulnerability, but i could be offtrack there. Just to give you an idea of using dirb wordlists big.txt with extensions_common.txt (adding a few in there of my own), we’re talking roughly 1.2M requests…
@Simsor said:
@kophjager263 You’re on the right track! Research what CGI scripts actually are and what they’re vulnerable to
I find it interesting that it sounds like most people got this enumerating with common.txt wordlist from dirb. Clearly I’m missing something in my wordlist or i’m not getting the right extensions. Without spoiling anything, i’ve tried 3 very obvious extensions that I’ve seen before in cgi-bin/, and i’ve iterated on a few base filenames containing the obvious vulnerability (or at least obvious to me based on the machine name). Thanks for the hints ~ I’ll keep enumerating to see what i can come up with. I have a feeling this will be one of those boxes where i figure it out then smash my face in a drawer with how simple it probably is
OK well i feel like an idiot. I downloaded that one “thing” i eventually enumerated and saw it wasn’t much more than output. Definitely overthought that one way too much LOL.
It took me a while to realize something simple.
Yea right eventually I was over thinking but manage to own the machine.
Two days later and im still enumerating. I guess only one thing left to do enumerate some more. Any further hints would be appreciated.
@scando said:
Two days later and im still enumerating. I guess only one thing left to do enumerate some more. Any further hints would be appreciated.
Try the Dirbuster with a changed extension 
you’ll find something juicy