TryHackMe | Oh My Webserver Writeup

Introduction

Hello everyone! Hope you’re doing well and hacking away. I’ve been doing my share of CTF’s and such, but admittedly haven’t taken the time to post much on here lately. Today I’ll be walking you through how I completed one of my more recent CTF’s from TryHackMe. Oh My Webserver is a recently released, medium level room hosted HERE. Completing this room is a relatively straightforward task as long as you do your due diligence and enumerate properly, now let’s get into it!

Initial Scans and Enumeration

Let’s kick this off with a port scan on the target IP. You can use any port scanner you want, but I personally like using Rustscan for CTF’s because of its speed. The port scan tells us that port 22 (SSH) and port 80 (HTTP) are both open on the target machine. Now, you always want to read the scan output thoroughly and fully understand the details. You’ll see why I mention this in just a bit. We can visit the website hosted at the IP address and try to enumerate that, but it will ultimately lead us nowhere. There aren’t any interesting subdirectories for us to view, no subdomains, no XSS vulnerabilities, nothing. What we do have is the knowledge of the Apache server software version. Our port scan tells us that the target is running Apache 2.4.49. This information is found in the “http-server-header” line under the port 80 results. From here, we can google “Apache 2.4.49 CVE” to see if there are any CVE’s (Common Vulnerabilities and Exposures) associated with it. Lucky for us, Apache 2.4.49 is vulnerable to two CVE’s; CVE-2021-41773 (path traversal) and CVE-2021-42013 (remote code execution). In another stroke of luck, there is even a metasploit module we can use to exploit these CVE’s!

Exploitation

We can fire up metasploit and search for Apache 2.4.49. This will present us with a module named “exploit/multi/http/apache_normalize_path_rce”. Select this module using the command “Use #”. In my case, the module was in the number 1 spot, so I entered “Use 1”. Now use the “options” command to list all of the options and their explanations. We will need to change “RHOSTS” to the IP address of our target, the “RPORT” to 80, the “CVE” to CVE-2021-41773, and “LHOST” to our IP address.

Metasploit module settings

Once we’ve set those options to the correct values, the module is ready for action. We can issue either “run” or “exploit” to metasploit, and we will have a shell on the target in just a short time. It quickly becomes apparent that our shell resides in a docker container due to the presence of the “.dockerenv” directory.

.dockerenv directory in directory listing

Container Privilege Escalation and User Flag

Getting root privileges within the docker container is relatively simple. All we need to do is check the capabilities of some of the different binaries in the container by using “getcap -r / 2>/dev/null”. The output tells us that python3.7 has the setuid capability. One of my favorite websites to use when hacking, GTFObins, will tell us everything we need to know in order to exploit this capability. Link: https://gtfobins.github.io/gtfobins/python/

Once we have the root privileges within the docker container, we can retrieve the user flag.

Retrieving user flag

Root Flag

So now we need to break out of the docker container and gain root privileges on the host system. The first thing I did was run “ifconfig” to see the IP address of the container, which was 172.17.0.2. From completing previous CTF’s involving docker containers, I remembered that the 172.17.0.0/16 subnet is the default subnet used by docker for networking. This default configuration also sets the IP address 172.17.0.1 as the bridge IP address, which the host machine along with all containers connect to for network communication between them. From here, we can upload nmap to the target machine and scan the 172.17.0.1 IP address to see what services are running on it, and whether we can exploit any of them. The nmap output reveals four ports, with port 5986 being the most interesting for us. Doing some google searching, we see that port 5986 is used by WinRM, or Windows Remote Management. After another google search for “Port 5986 CVE”, I found this article which does a great job of explaining how attackers can exploit four different critical vulnerabilities in OMI. OMI is an Azure agent intended to facilitate remote management of linux VM’s hosted in Microsoft Azure. There is a simple python script we can use to exploit CVE-2021-38647 and gain root privileges in the container here. All we need to do is download the python script to our local machine, serve is to the target using the python http server module, then run it on the target. Follow the directions on the github page, and we will have the ability to run commands with root privileges.

Firing up python webserver to serve exploit python script to target

Downloading exploit python script to target machine

With the ability to run commands with root privileges, we can simply read the root flag as shown in the screenshot below.

Retrieving root flag

Conclusion

In conclusion, I thought this was a really fun CTF. I certainly learned a couple things, specifically the CVE’s affecting Apache 2.4.49 and how to exploit them, as well as the OMI vulnerabilities present in Azure. The key takeaway here is that if you are responsible for public-facing assets such as webservers, you need to stay aware of exactly what services and software you are running, as well as any new vulnerabilities in those services/software. Exploiting known vulnerabilities on unpatched targets is a tried and true tactic used by attackers to achieve their objectives. PATCH, PATCH, PATCH!

I hope you enjoyed this writeup and got some value from it, and I hope you come back to read some more writeups/blog posts in the future as well. If you did enjoy this post, it would be greatly appreciated if you shared it with your friends and connections on facebook, twitter, linkedin, etc. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: