Let’s take a look at the Oh My WebServer CTF on TryHackMe Created by @tinyb0y.
The first step of my enumeration was a scan with nmap. by the command:
sudo nmap 10.10.155.74 -Pn -sV
The “Nmap Output” displayed
2 service running under port 22 and 80.
I next decided to run a Dirsearch scan on the webserver to see if there were any interesting hidden directories, by the command:
I didn't found any thing special even with other wordlists.
Now let’s look for exploits that we can use against Apache version 2.4.49.
searchsploit Apache 2.4.49
The Output displayed that there's Path Traversal and RCE: Remote Code Execution:
So let’s start the exploit:
With the result of the last example we can now send a reverse shell. And it successfully did a RCE and uploaded a shell on the host. And I set up my netcat listener on port 4444:
/ directory. I notice a file called
.dockerenv. That indicates that we are in a docker container :
So We must escape this docker container. When I was exploring some directories I run into the temporary directory and I found a python program called
So the omi is an unauthenticated RCE vulnerability effecting the OMI agent as root and I tried to run
And I got the flag :
python3 omi.py -t 10.10.155.74 -c "find / -name 'user.txt'" python3 omi.py -t 10.10.155.74 -c "cat <result of the last command>"
With the same approach I got the flag for root :
Thanks for reading!!!