/cgi-bin
is definitely something we want to check out. This is a directory where sysadmins can place scripts to be executed. That means we could find php, python, bash, etc scripts in here that we could abuse. Lets dig deeper into this directory with another gobuster scan, this time with a more extensive extension check.user.sh
we get the following:cgi-bin
directory, and the name is shocker
shellshock is a good bet. We can test this by adding a malicious HTTP Header with curl and execute a reverse shell:user.txt
flag. Now time for some privesc.sudo -l
to see if our current user has sudo access without specifying a password. Lo and behold, we strike gold:/bin/bash
process as the root user and obtain the root flag: