Ophiuchi — HackTheBox Writeup

Source

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

Skills Required

Skills Learned

Enumeration

Nmap
Homepage

Vulnerability Detail

Payload
http server
payload
HTTP Hit

Initial Access

shell content
shell file
netcat listener
.java file
modify string
compile
java class data
archive
jar file
HTTP server

For some weird reason my Python HTTP started giving error, so had to use updog.

payload

Note: Do not forget to add .jar

reverse connection
permission denied

Privilege Escalation To User

admin password
User Flag

Privilege Escalation To root

sudo -l
code
webassembly binary
rsync cmd
main.wasm
modified binary
download
rsync cmd
main.wasm
deploy.sh
root flag

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://github.com/mbechler/marshalsec
https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
https://github.com/artsploit/yaml-payload
https://github.com/webassembly/wabt
https://www.programmersought.com/article/65326225873/
https://devconnected.com/4-ways-to-transfer-files-and-directories-on-linux/#Transferring_files_on_Linux_using_rsync

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store