Inspection of the Web Application revealed /cgi-bin/cat which indicated it could be vulnerable to shellshock.
The Shellshock exploit was used to execute remote commands on the target system, however a reverse shell or bind shell were not possible due to restrictive ingress and egress firewall rules. This made for a painful local enumeration of the system via Burp Suite.
Identify Current User
Shellshock home dir perms
Shellshock files owned by user bynarr
The file /tmp/stats appeared to get updated every few minutes, indicating a cronjob could be running.
Shellshock mail spool readable
The above disclosed bynarrs passwords and the outbound port 51242 rule for the user.
The following shellshock payload was sent using Burp Suite:
The cronjob called the .profile file and execute the file contents.
A reverse shell was successfully spawned as the user bynarr
The following disclosed several bash environment variables were permitted to run as the user bynarr with sudo permissions.
Shellshock Local Privilege Escalation
The following shellshock payload was crafted to successfully escalate permissions to root: