Ophiuchi — HackTheBox Writeup

Source

This is a practical Walkthrough of “Ophiuchi” machine from HackTheBox. Credit goes to felamos for making this machine available to us and base points are 30 for this machine.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

“Ophiuchi” is an medium difficulty Linux machine that features Apache TomCat hosting a JSP (Java Server Page) website and it has SnakeYAML deserialization vulnerability in its library. The website has a functionality to where we can input YAML string/code and server will parse it using SnakeYAML library. After exploiting this vulnerability we get “tomcat” service account, moving to local account and getting user.txt flag is quite easy, however escalating to root account is so painful.

Skills Required

  • Web Enumeration
  • Linux Enumeration
  • WebAssembly Translation

Skills Learned

  • SnakeYAML Deserialization
  • WebAssembly Code Manipulation

Enumeration

Nmap

Nmap reveals SSH (22) and HTTP (8080) are open on target machine. Target is running on Ubuntu Linux Server. BTS, I ran gobuster, checked robots.txt file, basically did every normal enumeration to find extra details, unfortunately there’s nothing which interests us. However, gobuster revealed that there’s a directory names /manager and there’s an authentication mechanism in place, I tried to crack it but failed.

Homepage

The homepage has a input section to parse YAML code. If we try to parse anything it gives back to he following message, “Due to security reason this feature has been temporarily on hold. We will soon fix the issue!”.

Through GoBuster we have found that this website is based on JSP not PHP. So, it has to be either SnakeYAML or YamlBeans library which is being used on server.

Vulnerability Detail

If you read this paper “Java Unmarshaller Security” by Moritz Bechler, he has explained how to turn data in to code execution. So, to check the vulnerability of said YAML library I will use his one of the payload.

Payload

We will run a local http server on kali and execute the payload and see if it hits back our running server. If it does then it’s definitely Vulnerable.

Create a test file and Setup a HTTP server.

http server

Run the payload with your IP and parse it.

payload
HTTP Hit

As you can see we got a hit, it works. It means the server is using SnakeYAML library to parse the input.

From the above screenshot SnakeYAML parsed our payload and it is trying to access the endpoint “/META-INF/services/javax.script.ScriptEngineFactory” and since its not available, our server responds with a 404 error.

Initial Access

Now we need a payload which can turn this into an RCE. Fortunately there’s a POC available which helps us to run RCE.

Using this POC we can get our initial access on target machine. So, clone the repo on local machine and we need to edit the java file.

Create a shell file with one-liner in the same Directory and setup a netcat listener in new tab.

shell content
shell file
netcat listener

Now edit the .java file.

.java file
modify string

Modify the .exec section accordingly. What is happening here is, upon parsing our payload it fetches out rshell.sh file, saves it in /tmp directory and executes it.

Now we need to compile it.

compile

Upon compilation, we’d get a java class data.

java class data

Now we need to archive the src directory.

archive
jar file

Now we need to start our HTTP server.

HTTP server

For some weird reason my Python HTTP started giving error, so had to use updog.

Now we need to run the payload from YAML Parser Section and if everything's goes right then we’d reverse connection on our netcat listener.

payload

Note: Do not forget to add .jar

reverse connection

Aight, *hacker voice* we are in. Admin user is available but user flag is not readable to our current user.

permission denied

Privilege Escalation To User

Now we need to run LinPeas on target to find any possible PrivEsc ways.

admin password

LinPeas found “admin” user password. Let’s SSH into it and get out user flag.

User Flag

Privilege Escalation To root

Sudo -l reveals that we can run GoLang binary from a specific location.

sudo -l

Let’s read the code.

code

So, it reads from “main.wasm” file and if value is not 1 then it prints “not ready to deploy” but if value is 1 then prints “ready to deploy” and executes a shell file named “deploy.sh”.

“Deploy.sh” is not in absolute path so we can create our own “deploy.sh” file in our working directory and when we run “main.go” if value is 1 then we can read/write to root directory.

But first we need to file this main.wasm contents.

webassembly binary

As you can see it’s a webassembly binary and to read we need “WebAssembly Binary Tool Kit”. Now we need to transfer main.wasm to our kali linux. To do that we can use “rsync” application on our kali linux. It’s not installed by default so install it “sudo apt install rsync”.

Once it’s installed then it’s very easy to use.

rsync cmd

The above command takes advantage of SSH to copy file from given path to your local path. Now we need to read this file. To do that we have multiple options, either we can install WebAssembly or we can use online translation.

The above link gives us the advantage to upload the main.wasm binary to read. There’s an upload section, you have to upload the binary.

main.wasm

As you can read the binary now, i32.const value is 0, we need to change it to 1.

modified binary

Once it’s changed copy the all the content, now we need to convert this to binary again. For that visit the below link.

download

Paste the earlier copied content and download the binary and name it as “main.wasm”.

Now we need to send this file to target machine. To do that we will use rsync again.

rsync cmd
main.wasm

It’s copied successfully in admin directory. Now we need to create our own “deploy.sh” shell file in the same directory.

deploy.sh

Make sure to keep both files “main.wasm” and “deploy.sh” at same location. There are many ways to use “deploy.sh” for our advantage but I just want to read the root flag from root directory.

root flag

We got the root flag. If you are interested in getting the root shell, then there are multiple ways like copying SSH keys to root or changing permission of /bin/bash file to get the shell.

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://github.com/mbechler/marshalsec
https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
https://github.com/artsploit/yaml-payload
https://github.com/webassembly/wabt
https://www.programmersought.com/article/65326225873/
https://devconnected.com/4-ways-to-transfer-files-and-directories-on-linux/#Transferring_files_on_Linux_using_rsync