Ophiuchi - [HTB]

Introduction

Ophiuchi is a medium Linux machine where the attacker will have to exploit an 'SnakeYaml Deserilization' in order to obtain a reverse shell as tomcat. Then, will have to look for credentials inside the tomcat's configuration directory to escalate privileges. Finally, he or she will have create a script, that executes a reverse shell and, a modified version of a web assembly file,that all together produce a reverse shell as root once executed a go program as root.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

As we can see in the nmap result, there is a YAML parser. YAML is a human-readable data serialization standard that can be used in conjunction with all programming languages and is often used to write configuration files.

However, it doesn't matter what we write in the web form, that we always receive the same result: "Due to security reason this feature has been temporarily on hold. We will soon fix the issue!".

This give us a hint that this form is vulnerable.

Watching on the Internet there is a post about SnakeYaml Deserilization exploited with an associated GitHub repository containing all needed resources in order to reproduce the exploit.

Because getting a reverse shell is not that easy with the following exploit, here you have what steps you have to follow in order to get one.

Explotation

First of all download the Github repository mentioned earlier, once inside create a file named shell.sh with the following content.

Note: Remember to change the IP and port.

Then, modify the file src/artsploit/AwesomeScriptEngineFactory.java thus the yaml parser downloads the shell.sh and executes it, obtaining our reverse shell.

Note: Again, do not forget to change the IP.

Now, we have to compile the class, creating the yaml-payload.jar, so you have to execute the following commands.

The resulting file structure should look like this:

Finally, you have to create a listening port (nc -nlvp 4444) create an HTTP server in the same folder as shell.sh (You can do it with python3 python3 -m http.server) and send the following payload to the yaml parser.

Privilege escalation 1

The reverse shell is being executed as tomcat, so we need to escalate privileges.

Inside the file /opt/tomcat/conf/tomcat-users.xml there are somoe credentials for the user admin, which also exists in the machine.

These credentials can be used to login us to the machine as admin through SSH.

Privilege escalation 2

Running sudo -l seems that we can execute a go program.

Taking a look at the /opt/wasm-functions/index.go we can see that reads a file named main.wasm and executes a function named info, that if the returned value is equals to "1" the deploy.sh would be executed (Both files resides under the same folder as index.go).

If we try to execute the program as sudo we always obtain "Not ready to deploy". Thus, we have to modified the main.wasm so it returns "1" and the deploy.sh file executes a reverse shell.

Looking at the Wasmer GitHub repository, which appears in index.go, it seems that the main.wams stores web assembly instructions. In order to disassemble them we can use the tool wabt that has a series of binaries for decompiling, translating and reading web assembly files.

Using the binary wasm2wat we can translate the binary to text format, obtaining the file main.wat.

As you can see above, there is an $info function that returns a constant value 0 , so we have to change it by a "1".

Then, we have to compile back the main.wat to main.wasm.

Now, we have to upload the resulting main.wasm to the /tmp folder and we have to create a /tmp/deploy.sh that executes a reverse shell.

Finally, we need to execute the sudo command inside the /tmp in order to obtain our shell as root.