Creating your own private pwn lab for OMI Exploitation

Root ♊
2 min readSep 18, 2021


First off huge thanks to IPPSEC for posting this video and doing the heavy work when I started looking into making a private OMI Exploitation lab without hosting it on azure.

At first I ran into SSL issues with the OMI install followed by namespace issues with the SOAP requests with the exploit POC I was using. So to make things very simple I documented out everything you need to make your own private OMI pwn lab.

Step 1: Download Ubuntu Server 20.04.3

Step 2: Download the following package links with wget directly to the server



Step 3: Install vulnerable OMI release onto ubuntu server

sudo dpkg -i omi-1.6.8–0.ssl_110.ulinux.x64.deb

Step 4: Modify omiserver.conf on ubuntu server to listen on port 5986 for https

cd /etc/opt/omi/conf

sudo nano omiserver.conf

Once you update the saved file restart the omi services by issuing the following command:

sudo service omid restart

Step 5: Install the SCX Core package on the ubuntu server. This will fix the runspace issues encountered running the OMIGOD exploit POC

sudo dpkg -i scx-1.6.8–1.ssl_110.ulinux.x64.deb

Step 6: Download OMIGOD exploit POC (on Your hacking box such as Kali)

git clone

Once the package is cloned you should be able to run the following example command to see what ID the exploit runs as when you target the vulnerable ubuntu server (replace IP with your ubuntu server vulnerable IP):

python3 -t -c id


At this point you can play around with other commands for reconnaissance or exploitation such as:

Gathering users:

python3 -t -c ‘cat /etc/passwd’

Getting password hashes:

python3 -t -c ‘cat /etc/shadow’

There are really lots of possibilities here to play around with.



Root ♊

It's 2016 and all I found was Toilets running Telnet...using shodan