Sail away, sail away, sail away

This report documents a hands-on exploitation of IBM HTTP Server (IHS) administrative interface (mod_ibm_admin/SAIL). Using default/cleartext credentials, the author reverse-engineered the module to discover SAILCmd/SAILArgs headers that permit ReadFile, WriteFile, NumberOfLines and ServerControl operations, uploaded a CGI web shell, and escalated to root by altering service configuration and replacing apachectl. The write-up provides concrete commands and implementation details useful for detection, mitigation, or replication by defenders and attackers alike.