HackTheBox Writeup — Ophiuchui

Faisal Husaini
5 min readJul 3, 2021

--

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.227

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.227 

Found 2 Open Ports

  • Port 22 → Running SSH service version OpenSSH 8.2p1
  • Port 8080 → Running HTTP service version Apache Tomcat 9.0.38

Web

Running the IP along with the Port on the web browser which has an online YAML parser

Trying to parse a single quote for testing

We get an Internal Server Error , along with that on the error , we can see below the exception path that the YAML parser uses SnakeYAML and also it uses the load function from it which is vulnerable

The exploit for that code can be triggered using the code in the below screenshot which will try to fetch a java file from a link and then load it

Since we didn’t provided any file it wont be able to execute anything , but it tries to fetch from the link which we can confirm from our Python Web Server and hence code execution confirmed

Now using the exploit POC for this CVE , I modified the Java code to get reverse shell connection like shown below

Now time to build the jar file

Now using the parser to execute this yaml payload file through our Python Web Server

But unfortunately we cannot get reverse shell as there is an issue with Java’s Runtime exec function , so we need to encoded the payload or else use the online tool for it as shown below

Now putting this payload on the Java code which we saw before and running the parser again and checking back the netcat listener

Way to User

On the tomcat webroot , there is a conf folder which contains several files and interesting of those being the tomcat-users.xml file

Checking the contents of the tomcat-users.xml file, it contains the credentials for user admin which is an user in the machine and also its password

Connecting through SSH with the credentials we got

We got connected successfully and now time to get the user flag

Way to Root

Running sudo -l command , it can be seen that the go command can be run with sudo without password and also it should be command to run on the index.go file on the /opt folder

Checking the contents of the index.go file, it can be seen that it read bytes from main.wasm binary and if the return value of the info function is set to 1 , then it will execute the deploy.sh script from our working directory

So first I will copy the contents of the directory to my home directory

Now will fetch the main.wasm binary to my local kali machine and reverse the binary to the wat format so that I can make it in readable form using wasm2wat, link will be in the reference section for download

Now checking the readable format file, it can be seen that the result value of $func is set to 0

So now I will change the value to 1 using any editor and then save it

Now will use the wat2wasm tool to convert back the wat file to wasm file

Now copying back the newly changed main.wasm file to the remote machine and then execute the go command using and can confirm we get reverse shell as we put the bash reverse shell code on the deploy.sh file

Now time to get the root flag and complete the box

--

--

Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover