Ophiuchi | HackTheBox Writeup
Start with nmap scan found 2 open ports
The Website shows, It’s a YAML parser website.
Then I searched for any exploits of YAML and found one.
In that blog he mentioned the exploit code.
so I tried that payload in there and got Request from Ophiuchi’s IP.
Now I am sure that this website is exploitable, also in that blog he mentioned a Github link to this Repository for further exploitation
I cloned that repo to my local machine and checked what is executing.
On the repository page, he mentioned, put java code I want to execute in “src/artsploit/AwesomeScriptEngineFactory.java”. so I checked that file.
I changed that to check whether it executes correctly or not by checking the ping request.
For that, I changed the code in AwesomeScriptEngineFactory.java and compiled it as mentioned in the repository.
started ICMP to capture requests and got success.
For further exploitation, I created a shell.sh in my local machine and changed the code to download and execute the shell.sh in the machine.
I got the reverse shell in my terminal
The next step is to escalate privilege and I found the admin’s password in tomcat-user file.
Using that password I can log in to ssh.
I checked with sudo -l to check which commands I can run with root privilege.
I checked the file.
From this code you can see reading main.wasm file,
if the value of f=1 then it executes deploy.sh.
For the exploitation I copied main.wasm in /tmp folder and made a custom deploy.sh file for reading root.txt.
But I got this message, “Not ready to deploy”.
I search google for decompiling main.wasm and I got a StackOverflow link.
In the repository as mentioned, I can decompile wasm to wat and I can recompile that to wasm.
For the installation part i got answer from this website.
I decompiled it and changed const value from 0 to 1.
Then I recompiled to wasm using wat2wasm.
I uploaded that and made it executable.
i executed and got root flag