Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
Synopsis
“Ophiuchi” is an medium difficulty Linux machine that features Apache TomCat hosting a JSP (Java Server Page) website and it has SnakeYAML deserialization vulnerability in its library. The website has a functionality to where we can input YAML string/code and server will parse it using SnakeYAML library. After exploiting this vulnerability we get “tomcat” service account, moving to local account and getting user.txt flag is quite easy, however escalating to root account is so painful.
Skills Required
- Web Enumeration
- Linux Enumeration
- WebAssembly Translation
Skills Learned
- SnakeYAML Deserialization
- WebAssembly Code Manipulation
Enumeration
Nmap reveals SSH (22) and HTTP (8080) are open on target machine. Target is running on Ubuntu Linux Server. BTS, I ran gobuster, checked robots.txt file, basically did every normal enumeration to find extra details, unfortunately there’s nothing which interests us. However, gobuster revealed that there’s a directory names /manager and there’s an authentication mechanism in place, I tried to crack it but failed.
The homepage has a input section to parse YAML code. If we try to parse anything it gives back to he following message, “Due to security reason this feature has been temporarily on hold. We will soon fix the issue!”.
Through GoBuster we have found that this website is based on JSP not PHP. So, it has to be either SnakeYAML or YamlBeans library which is being used on server.
Vulnerability Detail
If you read this paper “Java Unmarshaller Security” by Moritz Bechler, he has explained how to turn data in to code execution. So, to check the vulnerability of said YAML library I will use his one of the payload.
We will run a local http server on kali and execute the payload and see if it hits back our running server. If it does then it’s definitely Vulnerable.
Create a test file and Setup a HTTP server.
Run the payload with your IP and parse it.
As you can see we got a hit, it works. It means the server is using SnakeYAML library to parse the input.
From the above screenshot SnakeYAML parsed our payload and it is trying to access the endpoint “/META-INF/services/javax.script.ScriptEngineFactory” and since its not available, our server responds with a 404 error.
Initial Access
Now we need a payload which can turn this into an RCE. Fortunately there’s a POC available which helps us to run RCE.
Using this POC we can get our initial access on target machine. So, clone the repo on local machine and we need to edit the java file.
Create a shell file with one-liner in the same Directory and setup a netcat listener in new tab.
Now edit the .java file.
Modify the .exec section accordingly. What is happening here is, upon parsing our payload it fetches out rshell.sh file, saves it in /tmp directory and executes it.
Now we need to compile it.
Upon compilation, we’d get a java class data.
Now we need to archive the src directory.
Now we need to start our HTTP server.
For some weird reason my Python HTTP started giving error, so had to use updog.
Now we need to run the payload from YAML Parser Section and if everything's goes right then we’d reverse connection on our netcat listener.
Note: Do not forget to add .jar
Aight, *hacker voice* we are in. Admin user is available but user flag is not readable to our current user.
Privilege Escalation To User
Now we need to run LinPeas on target to find any possible PrivEsc ways.
LinPeas found “admin” user password. Let’s SSH into it and get out user flag.
Privilege Escalation To root
Sudo -l reveals that we can run GoLang binary from a specific location.
Let’s read the code.
So, it reads from “main.wasm” file and if value is not 1 then it prints “not ready to deploy” but if value is 1 then prints “ready to deploy” and executes a shell file named “deploy.sh”.
“Deploy.sh” is not in absolute path so we can create our own “deploy.sh” file in our working directory and when we run “main.go” if value is 1 then we can read/write to root directory.
But first we need to file this main.wasm contents.
As you can see it’s a webassembly binary and to read we need “WebAssembly Binary Tool Kit”. Now we need to transfer main.wasm to our kali linux. To do that we can use “rsync” application on our kali linux. It’s not installed by default so install it “sudo apt install rsync”.
Once it’s installed then it’s very easy to use.
The above command takes advantage of SSH to copy file from given path to your local path. Now we need to read this file. To do that we have multiple options, either we can install WebAssembly or we can use online translation.
The above link gives us the advantage to upload the main.wasm binary to read. There’s an upload section, you have to upload the binary.
As you can read the binary now, i32.const value is 0, we need to change it to 1.
Once it’s changed copy the all the content, now we need to convert this to binary again. For that visit the below link.
Paste the earlier copied content and download the binary and name it as “main.wasm”.
Now we need to send this file to target machine. To do that we will use rsync again.
It’s copied successfully in admin directory. Now we need to create our own “deploy.sh” shell file in the same directory.
Make sure to keep both files “main.wasm” and “deploy.sh” at same location. There are many ways to use “deploy.sh” for our advantage but I just want to read the root flag from root directory.
We got the root flag. If you are interested in getting the root shell, then there are multiple ways like copying SSH keys to root or changing permission of /bin/bash file to get the shell.
We got all the flags required to complete this machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
Reference
https://github.com/mbechler/marshalsec
https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
https://github.com/artsploit/yaml-payload
https://github.com/webassembly/wabt
https://www.programmersought.com/article/65326225873/
https://devconnected.com/4-ways-to-transfer-files-and-directories-on-linux/#Transferring_files_on_Linux_using_rsync
